From IIW
Revision as of 16:12, 3 February 2011 by WikiSysop (talk | contribs) (Undo revision 3246 by Igiwydijok (Talk))

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OAuth: Open, secure delegation for web services

Or, how to authorize access to your accounts without giving up your password

OAuth offers safe delegation of authority.  It allows you to authorize a service (the Consumer) to act on the your behalf at a second service (the Service Provider) -- but only within limits set by the you and the Service Provider.  Examples include a photo lab printing your online photos, or a social network using your address book to look for friends.  Today's services typically require you to trust them with your authentication credentials, effectively giving them full access and allowing them to impersonate you.  OAuth never exposes your credentials and lets you limit the access granted to each Consumer.  A real-world analogy is a special valet key that you can give to a parking attendant.  Unlike your regular key, the valet key only allows the car to be driven a few miles, and might not even open the trunk. One key for you, another to share.

How does it work?

OAuth uses tokens instead of the user credentials. To get access, the Consumer directs the user to a web page specified by the Service Provider.  The Service Provider authenticates the user, and confirms the user's intent to grant limited access to the Consumer.  The Consumer then regains control and is given a token which it can present as necessary to do things on behalf of the user.  Note that OAuth complements rather than replaces existing authentication.  It can be used with a wide range of authentication mechanisms, including but not limited to OpenID.

Is OAuth a New Concept?

No. OAuth is the standardization of many well established security protocols: Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, Amazon Web Services API, etc.  OAuth was created by extracting the best practices and common core of the existing protocols into a single, well defined, open specification.

Is It Ready?

Yes, OAuth Core is ready for implementation, and is already available from a few providers.  At the time of this writing, we expect implementations from (in alphabetical order) Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, and hopefully Google, Yahoo, and others soon to follow.  Open source libraries are currently being developed for PHP, Rails, Python, .NET, Objective-C, C#, Java, and Perl. We expect most upcoming work to focus on implementations and the development of extensions to the protocol.  More information and complete documentation can be found at the project homepage, http://oauth.net.

(Adapted from Explaining OAuth, published on September 05, 2007 by Eran Hammer-Lahav)