The promise of sharing our data from one site with another raises plenty of privacy concerns. While not all of these worries can be solved by technology, one definitely can. You should not have to share your password in order for services to access your content on other sites. That’s where OAuth comes in. It’s “an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.”
It’s hardly a new technology. We wrote about the spec for the first version in 2007, noting the potential for more personal mashups. It has been adopted by many services including the Twitter API and multiple APIs from both Google and Yahoo. In our API directory one of the things we track is OAuth support. And as of this week, we list 76 OAuth APIs.
OAuth’s supporters often compare the protocol to the valet key of a luxury car; such a key allows a parking attendant to use the car in a limited fashion, barring access to trunks or onboard phones, and restricting the operating radius of the car to a mile or two. In a similar fashion, OAuth enables end users to present identity credentials from one site or service, and grant another service access to data on the first site, without exposing one’s password to the second site.
For simplicity and security, many API providers are now considering only supporting OAuth. Twitter will go OAuth-only on June 30. Location-sharing service FourSquare proposed the same on its mailing list:
OAuth-only: believe it or not, this is how the v1 api started — and
then we backed off because we saw so much demand for a basic http auth
OAuth takes a bit more work on both the provider and developer level, though there are libraries on each side that make it easier. And with advances like the new OAuth 2 (already adopted by Facebook), you can expect OAuth to be the choice for authenticated APIs going forward.