Mark Atwood (fallenpegasus) wrote,
Mark Atwood

First public draft of OAuth spec

Something I've been working on is OAuth. We just released our first public draft of the spec.

Have you used a website that has asked for the passwords to your email and IM accounts, so it can find your friends who are also there? Or a site that asks for your Flickr password so it can print your private photos?

They shouldn't do that! You have to trust them that nobody is sniffing your password to them, nobody is sniffing your password from them, they aren't recording it accidentally or intentionally, recording it in logs, and that it's not being stolen by some wage slave working in a body shop in India. You have to trust them more than they should be trusted, even if they have the best of intentions.

Google's AuthSub, Yahoo's BBAuth, AOL's OpenAuth, and Flickr's FlickrAuth. OAuth works the same way, only better. It it surely more secure than asking people to trust with their email passwords. And it's no harder to use.

Now that the 1.0 spec is pretty much nailed down, software is starting to show up. We hope to soon have useful modules for clients and for servers, for libcurl and for Apache, for Python, Perl, Ruby, and PHP.

If you write mashups, you need this.

If you run a useful web service or any sort of web API, you need this. You can't avoid being built in a mashup. Your only choice is to use an auth protocol, or have your users compromise their passwords.

And if you're not an geek web developer, and just want to use the web to browse, work, play, and connect with people, all you need to do now is whenever some site asks for your password to some other site, utterly refuse, and instead send them a note asking them why they don't support OAuth instead.

Here are some blog posts about it from other people involved: (link) and (link) (link). They do pretty good jobs of explaining it as well.
Tags: geek, oauth

  • Razors

    I'm getting ads for I think five different "all metal" "get the best shave of your life" "throw away the plastic" razor startups. They all seem to be…

  • Doing what needs to be done

    On May 1st, one of my co-residents found one of the feral rabbits that live in the area cuddled up against a corner of the house. It was seriously…

  • The CTO of Visa, after listening to me present

    Some years ago, I was asked to travel to the corporate meeting center to present at a presentation-fest to the CxO staff of Visa. Yes, the one with…

  • Post a new comment


    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded