OAuth

OAuth logo

OAuth (Open Authorization) is an open standard for authorization. It allows users to share their private resources (e.g., photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password.

OAuth allows users to hand out tokens instead of credentials to their data hosted by a given service provider. Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.

OAuth is a service that is complementary to, but distinct from, OpenID.

Contents

History

OAuth began in November 2006, during which Blaine Cook was developing the Twitter OpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. Cook, Chris Messina and Larry Halff from Ma.gnolia met with David Recordon to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standards for API access delegation.

The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. DeWitt Clinton from Google learned of the OAuth project, and expressed his interest in supporting the effort. In July 2007 the team drafted an initial specification. Eran Hammer-Lahav joined and coordinated the many OAuth contributions, creating a more formal specification. On October 3, 2007, the OAuth Core 1.0 final draft was released.

At the 73rd Internet Engineering Task Force meeting in Minneapolis in November of 2008, an OAuth BOF was held to discuss bringing the protocol into the IETF for further standardization work. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.

The OAuth 1.0 Protocol was published as RFC 5849, an informational Request for Comments, in April 2010.

Since August 31, 2010, all third party Twitter applications have been required to use OAuth.[1]

OAuth 2.0

OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification is being developed[2] within the IETF OAuth WG and is expected to be finalized by the end of 2010 according to Eran Hammer-Lahav.[3]

Facebook's new Graph API only supports OAuth 2.0 and is the largest implementation of the emerging standard.[4] As of 2011, both Google[5] and Microsoft[6] had added OAuth 2.0 experimental support to their APIs.

Security

On April 23, 2009, a session fixation security flaw in the 1.0 protocol was announced. It affects the OAuth authorization flow (also known as "3-legged OAuth") in OAuth Core 1.0 Section 6.[7] Version 1.0a of the OAuth Core protocol was issued to address this issue.[8]

There is a debate over security concerns of OAuth.[9][10]

Uses

OAuth can be potentially used as an authorizing mechanism to consume secured (i.e., authenticated) RSS/ATOM feeds. Consumption of RSS/ATOM feeds that requires authentication has always been an issue. For example; an RSS feed from a secured Google Sites can not be consumed using Google Reader. 3-Legged OAuth can be used to authorize Google Reader to the RSS feed from that Google Site.

OpenID vs. pseudo-authentication using OAuth

The following drawing highlights the differences between using OpenID vs. OAuth for authentication. Note that with OpenID, the process starts by the application asking the user for their identity (typically a openid URI), whereas in the case of OAuth, the application directly requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.

OpenID vs. pseudo-authentication using OAuth

See also

References

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • OAuth — Logo OAuth ist ein offenes Protokoll, das eine standardisierte, sichere API Autorisierung für Desktop , Web und mobile Anwendungen erlaubt. Es wurde von Blaine Cook und Chris Messina initiiert. Ein Endbenutzer (User) kann mit Hilfe dieses… …   Deutsch Wikipedia

  • OAuth — est un protocole libre, créé par Blaine Cook et Chris Messina, qui permet l authentification à une API sécurisée d une façon simple et standard depuis son bureau ou une application web. Pour les développeurs d une application accédant à une API,… …   Wikipédia en Français

  • OAuth — (Open Authorization) es un protocolo abierto, propuesto por Blaine Cook y Chris Messina, que permite autorización segura de un API de modo estándar y simple para aplicaciones de escritorio, móviles, y web. Para desarrolladores de consumidores,… …   Wikipedia Español

  • OAuth — Логотип OAuth OAuth  открытый протокол авторизации, который позволяет предоставить третьей стороне ограниченный доступ к защищенным ресурсам пользователя без необходимости передавать ей (третьей стороне) логин и пароль. На …   Википедия

  • XRDS — (Kurzform für: eXtensible Resource Descriptor Sequence) ist ein XML Format, um Metadaten über eine Web Resource zu beschreiben und abrufbar zu machen (engl. „Discovery ) – insbesondere Dienste, die unter dieser Ressource verfügbar sind (engl.… …   Deutsch Wikipedia

  • Distributed social network — A distributed social network is an Internet social network service that is decentralized and distributed across different providers. The emphasis of the distribution is on portabilitya[›], interoperability and federation capability. It contrasts… …   Wikipedia

  • OpenID — The OpenID logo OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital… …   Wikipedia

  • Аутентификация в Интернете — Аутентификация – это проверка подлинности предъявленного пользователем идентификатора. Аутентификация требуется при доступе к таким интернет сервисам, как: электронная почта веб форумы социальные сети интернет банкинг платежные системы… …   Википедия

  • Ma.gnolia — Infobox Website name = Magnolia caption = url = http://ma.gnolia.com type = Online social bookmarking registration = Optional owner = Gnolia Systems launch date = 2006 [cite web |url=http://www.techcrunch.com/2005/10/22/magnolia more social… …   Wikipedia

  • XRDS — (eXtensible Resource Descriptor Sequence) is an XML format for discovery of metadata about a resource – in particular discovery of services associated with the resource, a process known as service discovery. For example, a website offering OpenID …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.