OAuth
OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.
OAuth is a service that is complementary to, and therefore distinct from, OpenID.
History
OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. Cook, Chris Messina and Larry Halff from Ma.gnolia met with David Recordon to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standards for API access delegation. [citation needed]
The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. DeWitt Clinton from Google learned of the OAuth project, and expressed his interest in supporting the effort. In July 2007 the team drafted an initial specification. Eran Hammer-Lahav joined and coordinated the many OAuth contributions, creating a more formal specification. On October 3, 2007, the OAuth Core 1.0 final draft was released.
At the 73rd Internet Engineering Task Force meeting in Minneapolis in November 2008, an OAuth BoF was held to discuss bringing the protocol into the IETF for further standardization work. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.
The OAuth 1.0 Protocol was published as RFC 5849, an informational Request for Comments, in April 2010.
Since August 31, 2010, all third party Twitter applications have been required to use OAuth.[1]
OAuth 2.0
OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification is being developed[2] within the IETF OAuth WG and was expected to be finalized by the end of 2010 according to Eran Hammer.[3] However, due to discording views about the evolution of OAuth, Hammer left the working group.[4]
Facebook's new Graph API only supports OAuth 2.0 and is the largest implementation of the emerging standard.[5] As of 2011, both Google[6] and Microsoft[7] had added OAuth 2.0 experimental support to their APIs.
Security
On April 23, 2009, a session fixation security flaw in the 1.0 protocol was announced. It affects the OAuth authorization flow (also known as "3-legged OAuth") in OAuth Core 1.0 Section 6.[8] Version 1.0a of the OAuth Core protocol was issued to address this issue.[9]
There is a debate over security concerns of OAuth 2.0.[10][11]
Uses
OAuth can be potentially used as an authorizing mechanism to consume secured (i.e., authenticated) RSS/ATOM feeds. Consumption of RSS/ATOM feeds that requires authentication has always been an issue. For example; an RSS feed from a secured Google Sites can not be consumed using Google Reader. 3-Legged OAuth can be used to authorize Google Reader to the RSS feed from that Google Site.
List of OAuth Service Providers
| Service Provider | OAuth Protocol |
|---|---|
| bitly | 2.0 |
| 2.0 | |
| Flickr | 1.0a |
| Formstack | 2.0 |
| Foursquare | 2.0 |
| GitHub | 2.0 |
| 2.0 | |
| 2.0 | |
| Microsoft (Hotmail, Messenger, Xbox) | 2.0 |
| OpenTable | 1.0a |
| 1.0a | |
| MySpace | 1.0a |
| Netflix | 1.0a |
| Plurk | 1.0a[12] |
| Salesforce.com | 1.0a, 2.0 |
| Sina Weibo | 2.0 |
| StatusNet | 1.0a |
| Tumblr | 1.0a |
| 1.0a | |
| Vimeo | 1.0a |
| VK | 2.0 |
| Veevop | 2.0 |
| Yahoo! | 1.0a |
| Yammer | 2.0 |
| Yelp | 1.0a |
OpenID vs. pseudo-authentication using OAuth
The following drawing highlights the differences between using OpenID vs. OAuth for authentication. With OpenID, the process starts by the application asking the user for their identity (basically a log-in request by the application, to which the user typically provides an OpenID URI rather than actual credentials), whereas in the case of OAuth, the application specifically requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on the user's behalf (which typically explicitly names the particular rights requested, and does not require the user to enter credentials at all). If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs. In either case, the access to the Identity Provider will involve authentication to the Identity Provider, unless some session is already in effect. The net effect, in the OpenID case, is that the application allows the user access, because it trusts the OpenID Identity provider. The net effect, in the OAuth case, is that the API provider allows the application access, because it trusts its own valet keys.
Controversy
In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification. Hammer pointed to a conflict between the web and enterprise cultures, citing the IETF as a community that is "all about enterprise use cases", that is "not capable of simple". What is now offered is a blueprint for an authorisation protocol, he says, and "that is the enterprise way", providing a "whole new frontier to sell consulting services and integration solutions".[13]
In comparing OAuth 2.0 with 1.0, Hammer points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure"... He explains how architectural changes for 2.0 unbound tokens from clients, removed all signatures and cryptography at a protocol level and added expiring tokens because tokens couldn't be revoked while complicating the processing of authorisation. Numerous items were left unspecified or unlimited in the specification because "as has been the nature of this working group, no issue is too small to get stuck on or leave open for each implementation to decide".[14]
See also
References
- ^ Chris Crum (2010-08-31). "Twitter Apps Go OAuth Today". WebProNews.com. Retrieved 2011-03-14.
- ^ "The OAuth 2.0 Authorization Protocol". 2011-02-16.
- ^ Eran Hammer-Lavah (2010-05-15). "Introducing OAuth 2.0". Retrieved 2011-03-14.
- ^ Eran Hammer-Lavah (2012-07-26). "OAuth 2.0 and the Road to Hell". Retrieved 2012-07-26.
- ^ "Authentication - Facebook Developers". developers.facebook.com.
- ^ "Making auth easier: OAuth 2.0 for Google APIs". googlecode.blogspot.com. 2011-03-14.
- ^ Dare Obasanjo (2011-05-04). "Announcing Support for OAuth 2.0". windowsteamblog.com.
- ^ "OAuth Security Advisory: 2009.1". 2009-04-23. Retrieved 2009-04-23.
- ^ OAuth Core 1.0a
- ^ "Is OAuth 2.0 Bad for the Web?". 2010-09-20. Retrieved 2010-09-21.
- ^ "an unwarranted bashing of Twitter's oAuth". 2011-08-03. Retrieved 2011-08-03.
- ^ http://www.plurk.com/API
- ^ "OAuth 2.0 and the Road to Hell". Eran Hammer. 28 July 2012. Retrieved 16 August 2012.
- ^ "OAuth 2.0 and the Road to Hell". Eran Hammer. 28 July 2012. Retrieved 16 August 2012.
External links
- RFC5849 at the IETF
- OAuth.net
- OAuth WG at the IETF
- OAuth Code Library Support on Google Groups
- OAuth Beginner's Guide and Resource Center on Hueniverse
- Google OAuth & Federated Login Research
- Yahoo! OAuth Quick Start Guide
- How-to: Real-time Linux system monitoring on Twitter using OAuth and perl
- OAuth Checklist
- OAuth Toolkit May Help Secure APIs
- LIVE Demo of OAuth with Google, Yahoo