Announcing OAuth 1.0 Public Draft 1

Well, it’s been a long time coming, and if you’ve been following my Twitters at all, you’ll know that I’ve been working on an open, authorization protocol called OAuth for the past few months. Today we released the first Public Draft for review.

The idea started as a humble effort to accomplish two goals: first, to enable Ma.gnolia members who created their accounts with OpenIDs (and therefore don’t have traditional usernames and passwords) to be able to use Dashboard Widgets; and second, to enable Twitter to adopt OpenID when its current API requires a username and password to authorize access to protected status feeds.

In any case, both of these use cases were part of the same problem: the lack of a uniform and open protocol for what’s called “delegated authentication”. Another useful metaphor that I’ve come to like is what John Panzer and Eran Hammer-Lahav used before him, that of a valet key:

OAuth is like a valet key for all your web services. A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or limit the RPMs on your high end German automobile. In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.

Arguably the value of OAuth as a technological innovation goes beyond that. After all, anyone can implement their own valet key system that works in their own universe of vehicles. The harder part is actually the social and political work of getting everyone to buy in and follow the same design pattern, leading to interoperability between systems.

In fact that’s where we were before OAuth: Google had AuthSub, AOL had OpenAuth (OAuth’s former name, by the way), Yahoo had BBAuth and Flickr had FlickrAuth (not to mention Facebook Auth and Windows Live ID Web Authentication). Which meant that if you were an independent developer (like Matt Biddulph from Dopplr) you had to pick which auth system you wanted to support unless you had money and time coming out of your armpits, you’d code against all of them.

Of course, that’s not reality. And no one has the time or energy to maintain support for every protocol, so instead, most people take the easy way out and just ask for the veritable keys to all the different services you use:

ShareThis | Import your addresses...

Now, don’t get me wrong, this gets the job done. And it works. But it’s a really really really bad idea.

Not only are people being trained into thinking that it’s okay to fill in any form that looks like a Gmail login box on any old website (trusted or not) but it’s creating an untenable situation where, as a member of these various services, you have no way to control the access you’ve given away without changes your password — which in effect will disable every one of these sites that’s storing your credentials — forcing you to revisit every one of them and share with them your new username and password. What a crappy experience!

Fortunately, Flickr got it right a long time ago and set the bar for user experience. In their model, you can try out a bunch of tools that help you upload photos to the service or use off-site mashups that do cool things with your photos all without giving away your most valuable credentials: your username and password!

Instead, when you sign in to your account, Flickr will assign special keys called “tokens” to each application that wants to access your account. Flickr then lets you configure how much access you want to grant to each app and lets you revoke that access at any time. No changing your password, no running around to have to re-authenticate all the apps that you still want to use if you want to disable one of them.

OAuth takes that approach one step further and extracts the best practices from the popular authentication systems I mentioned above and turns it into one elegant, unified authentication protocol that anyone can implement. And, because it’s an open standard that we hope many people will adopt and replace their own proprietary authentication systems with, it should be a no-brainer for developers to use and to support, resulting in fewer sites that, with a straight face, continue to ask you for your username and password (oh, and yes, it is compatible with OpenID, with Google Accounts, with Yahoo Accounts and any other sign-in system — OAuth doesn’t dictate how you sign-in, only how you delegate authentication).

Even though we’re only releasing the first public draft today, we already have pledges from Ma.gnolia, Twitter, Pownce, Jaiku, Dopplr and others that they intend to implement the protocol.

If you want to get involved, join our mailing list, take a look at the OAuth libraries under development for PHP, Ruby, Python, C# and others. We plan to formally release the final version the OAuth Protocol v1.0 on Oct 1, so watch this space for more news until then.

2 Comments

  1. at 6am on Sep 22nd # |

    Congrats. I really appreciate the significance of this. From a developer’s standpoint, we need a way of simplifying the silo field around us. With an easy way to uniformly “get in the barn” and “count the animals” (a rural play on your metaphors above), some fantastic development hurdles will be overcome. When the time comes. You can count on BricaBox joining that list of OAuth pledges.

  2. at 10pm on Sep 23rd # |

    Yes! Great idea and framing.

10 Trackbacks

  1. [...] Announcing OAuth 1.0 Public Draft 1 Introduction to and rationale behind OAuth – writeup by Chris Messina. (tags: oauth authentication standards protocol chrismessina) [...]

  2. links for 2007-09-23 on Sep 22nd at 8pm

    [...] FactoryCity » Announcing OAuth 1.0 Public Draft 1 Even though we’re only releasing the first public draft today, we already have pledges from Ma.gnolia, Twitter, Pownce, Jaiku, Dopplr and others that they intend to implement the protocol. (tags: OAuth social_networking socialsoftware socialnetworking socialgraph toblog) [...]

  3. [...] away. First draft of OAuth 1.0 is out, Chris Messina explains what it’s all about: OAuth takes that approach one step further and extracts the best practices from the popular [...]

  4. [...] of all this week?  The first public release of the 1.0 version of the OAuth spec.   Read what Chris, & Mark, panzerjohn, Eran, Eran S., Dick and others have to say about [...]

  5. links for 2007-09-24 on Sep 24th at 2am

    [...] Announcing OAuth 1.0 Public Draft 1 OAuth is like a valet key for all your web services. A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or limit the RPMs on your high end German automobile. (tags: openid oauth api protocol openstandards) [...]

  6. [...] announced OAuth 1.0 Public Draft basically a way for developers to duplicate Flickr’s FlickrAuth but with an industry wide [...]

  7. [...] we are about to see something that will assist this – oAuth. In fact, Chris Messina explains that oAuth was created out of necessity to use OpenID. He also announced that the public drafts of 1.0 spec are now [...]

  8. [...] For more coverage see Marshall Kirkpatrick at Read/WriteWeb, Brady Forrest at O’Reilly Radar, Microsoft’s Dare Obasanjo, and Chris Messina. [...]

  9. [...] there is a solution, and it was developed specifically because Ma.gnolia ran into this problem when it became an OpenID relying party. The result, nine [...]

  10. [...] is actually an extraction of a number of protocols that came before. In the place of a username and password, it substitutes a consumer key (like a username for an [...]