Mark Atwood (fallenpegasus) wrote,
Mark Atwood
fallenpegasus

First public draft of OAuth spec

Something I've been working on is OAuth. We just released our first public draft of the spec.

Have you used a website that has asked for the passwords to your email and IM accounts, so it can find your friends who are also there? Or a site that asks for your Flickr password so it can print your private photos?

They shouldn't do that! You have to trust them that nobody is sniffing your password to them, nobody is sniffing your password from them, they aren't recording it accidentally or intentionally, recording it in logs, and that it's not being stolen by some wage slave working in a body shop in India. You have to trust them more than they should be trusted, even if they have the best of intentions.

Google's AuthSub, Yahoo's BBAuth, AOL's OpenAuth, and Flickr's FlickrAuth. OAuth works the same way, only better. It it surely more secure than asking people to trust joebloe.com with their email passwords. And it's no harder to use.

Now that the 1.0 spec is pretty much nailed down, software is starting to show up. We hope to soon have useful modules for clients and for servers, for libcurl and for Apache, for Python, Perl, Ruby, and PHP.

If you write mashups, you need this.

If you run a useful web service or any sort of web API, you need this. You can't avoid being built in a mashup. Your only choice is to use an auth protocol, or have your users compromise their passwords.

And if you're not an geek web developer, and just want to use the web to browse, work, play, and connect with people, all you need to do now is whenever some site asks for your password to some other site, utterly refuse, and instead send them a note asking them why they don't support OAuth instead.


Here are some blog posts about it from other people involved: (link) and (link) (link). They do pretty good jobs of explaining it as well.
Tags: geek, oauth
Subscribe
  • Post a new comment

    Error

    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 3 comments