Messaging News - August 2008 - (Page 32) ON MESSAGE limited in scope, more private, and encourages good user behavior. OAuth does not attempt to solve other problems that can arise such as privacy policy management or data duplication and skew. In my last Messaging News column I wrote about OpenID authentication framework and the challenges it faces to become a mainstream Internet-scale Single Sign On (SSO) mechanism. While OpenID focuses on authentication, OAuth focuses on authorization. Often descriptions of authentication and authorization are conflated. The two mechanisms are intimately connected, however it is important to distinguish one from and disadvantages. OAuth is vendor agnostic, which is a major advantage for developers who would otherwise need to support each vendor’s authorization mechanism (assuming they have one). OAuth is designed as an authorization solution for consumer services and applications. Enterprise standards for authorization as part of the Web Services (WS-*) collection are still in flux and span a number of specifications. The authors of the OAuth specification looked at the functionality of existing systems and attempted to reuse as much functionality from existing implementations as possible. Many of the systems combine authen- OAuth is a simple standard for one service to provide access to resources such as contacts, photos, or other features to another service or application. the other. The descriptions are often further confused as the documentation may refer to “API authentication” and when simply using authorization or access control would be a clearer description. Authentication is the process where a person (although it could be a computer or other device) presents a series of credentials, such as a username and a password, and those credentials are verified against an authoritative source. If all the credentials verify correctly, then the system considers the identity verified. (Note: While a wide variety of mechanisms from tokens to biometrics could be used as stronger credentials, it is not important to this example.) Authorization is the mechanism that determines what resources a verified identity has access to. For instance, Authorization is the mechanism that determines whether or not your authenticated identity should be able to access only your salary information in the HR database or the salary information of everyone in the company. Authorization is often implemented as access control lists (ACLs), such as in file systems or keyless entry systems. The first public draft of OAuth was released in September 2007 and the final draft of OAuth Core 1.0 was released in December 2007. Additional OAuth mechanisms are in the process of standardization. For example, there is a draft specification for the OAuth Discovery protocol should simplify the configuration of OAuth enabled services. There are OAuth API libraries for most languages commonly used in Web development including Python, PHP, Ruby, Perl, Java, C#, and Objective-C. Background to OAuth There are a number of modern predecessors to OAuth including Flickr Auth, Yahoo’s BBAuth, Google’s AuthSub, and AOL OpenAuth. Compared to OAuth, each of these mechanisms has slight variations, advantages, tication and authorization. However, OAuth is designed to assume that authentication is handled by another mechanism. Yahoo! began to support OAuth in March 2008 for its Fire Eagle location-based service. In June of 2008 Google announce support for OAuth in all of its Data APIs (GData). Additional companies that have current implementations of OAuth include: Get Satisfaction, Ma.gnolia, PhotoBucket, and SmugMug. Numerous other companies demonstrated experimental implementations at the recent OAuth Summit. The number of OAuth enabled services from both large and small providers will expand substantially in the next six months. OAuth is an important contribution as it is a vendorneutral specification for Internet-scale delegated authorization. The first draft of the OAuth specification is complete. There are libraries for most common languages used in consumer Web services, as well as a number of implementations on popular consumer services. However, the specification is still in its early stages and there are many open questions, and problems to solve—such as how to improve the user experience, and extensions to be standardized to make the specification easier to use and more simple to deploy. BG/TMP FOR YOUR REFERENCE OAuth http://oauth.net/ OAuth Google Group http://groups.google.com/group/oauth 32 MESSAGING NEWS AUGUST 2008 http://oauth.net/ http://groups.google.com/group/oauth
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.