Messaging News - August 2008 - (Page 31) s online services such as Webmail, photo sharing sites, social networks, and browser-based office suites grow in popularity, we store more and more data in the “cloud.” The problem is: Data in the cloud is often just as incompatible and inaccessible as data in traditional client applications. OAuth provides a mechanism for services and applications to easily and securely share data and features. Eran Hammer-Lahav, who was involved in the OAuth specification early on, likens OAuth to a valet key used in luxury cars. The valet key allows someone to park the car, but not necessarily to access the trunk or other car electronics, such as the integrated mobile phone address book. Online address books for Webmail and lists of contacts in social network services are common types of data we might wish to share across services. Until very recently there have been few ways to share contacts across consumer services, which has led to a nearly pervasive workaround that is a genuinely bad idea for a number of reasons. A On Message with Ben Gross OAuth: Giving Access to the Castle Without Losing Control Here is how the workaround is typically handled. Alice has an account with ExistingSocialNetwork.com where she has lots of friends and contacts. Alice has signed up with NewSocialNetwork.com, but balks at the idea of manually reentering the 112 friends she would like to migrate to the new service. What NewSocialNetwork.com does is offer Alice an interface to import her contacts from ExistingSocialNetwork.com simply by providing her credentials for that service. A minute later all of her contacts are imported into the new service and Alice is happy. So what’s the problem here? To recap, the first service requested that Alice enter her login and password for the second service and then used these credentials to extract the contact information from the first service. This is bad for the following reasons: Security: Nearly every example I looked at caused the user to type in the login and password over an insecure connection, even if the original service provider had a secure login method by default. Revocability: Once the user has provided credentials for the first service, there is no mechanism from preventing the second service from caching and reusing those credentials at a later date aside from changing the password on the first service. Limit Scope: There is no way for the user to know if the service extracting the data will extract addition data beyond what the user requested. User Behavioral Training: This practice makes the user accustomed to entering credentials in locations other than ones provided by the vendor without the normal security protections. Privacy: The user must provide their identity on the first service as part of the credentials in order to allow the second service to extract the data. What OAuth Does OAuth is a simple standard for one service to provide access to resources such as contacts, photos, or other data to another service or application. Users can revoke access at any time and do not have to reveal their credentials, only a potentially anonymous token, to the requesting service or application. Access is granular— providing the requesting service access to your address book does not also give that same service the ability to post to your blog or view your advertising revenue. What this means is that Web-based services and applications now have a potential way to solve the problem of Alice exporting her contacts from one service to another in a way that is secure, revocable, messagingnews.com 31 http://www.messagingnews.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.