OAuth: Open, secure delegation for web services
Or, how to authorize access to your accounts without giving up your password
OAuth offers safe delegation of authority. It allows you to authorize a service (the Consumer) to act on the your behalf at a second service (the Service Provider) -- but only within limits set by the you and the Service Provider. Examples include a photo lab printing your online photos, or a social network using your address book to look for friends. Today's services typically require you to trust them with your authentication credentials, effectively giving them full access and allowing them to impersonate you. OAuth never exposes your credentials and lets you limit the access granted to each Consumer. A real-world analogy is a special valet key that you can give to a parking attendant. Unlike your regular key, the valet key only allows the car to be driven a few miles, and might not even open the trunk. One key for you, another to share.
How does it work?OAuth uses tokens instead of the user credentials. To get access, the Consumer directs the user to a web page specified by the Service Provider. The Service Provider authenticates the user, and confirms the user's intent to grant limited access to the Consumer. The Consumer then regains control and is given a token which it can present as necessary to do things on behalf of the user. Note that OAuth complements rather than replaces existing authentication. It can be used with a wide range of authentication mechanisms, including but not limited to OpenID.
Is OAuth a New Concept?
No. OAuth is the standardization of many well established security protocols: Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, Amazon Web Services API, etc. OAuth was created by extracting the best practices and common core of the existing protocols into a single, well defined, open specification.
Is It Ready?
Yes, OAuth Core is ready for implementation, and is already
available from a few providers. At the time of this writing, we expect
implementations from (in alphabetical order) Digg, Jaiku, Flickr,
Ma.gnolia, Plaxo, Pownce, Twitter, and hopefully Google, Yahoo, and
others soon to follow. Open source libraries are currently being
developed for PHP, Rails, Python, .NET, Objective-C, C#, Java, and
Perl. We expect most upcoming work to focus on implementations and the
development of extensions to the protocol. More information and
complete documentation can be found at the project homepage, http://oauth.net.
(Adapted from Explaining OAuth, published on September 05, 2007 by Eran Hammer-Lahav)