Jump to content

OAuth

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Typhoonhurricane (talk | contribs) at 07:44, 22 May 2010 (History: Added RFC info about OAuth 1.0.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

OAuth logo
OAuth logo

OAuth (Open Authorization) is an open standard that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password.

OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).

Thus OAuth allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.

OAuth is a complementary but distinct service to OpenID.

History

OAuth began in November 2006, during which Blaine Cook was developing the Twitter OpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorise Dashboard Widgets to access their service. Thus, Cook, Chris Messina and Larry Halff from Ma.gnolia met with David Recordon to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standards for API access delegation.

The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. DeWitt Clinton from Google learned of the OAuth project, and expressed his interest in supporting the effort. In July 2007 the team drafted an initial specification. Eran Hammer-Lahav joined and coordinated the many OAuth contributions, creating a more formal specification. On October 3, 2007, the OAuth Core 1.0 final draft was released.

At the 73rd Internet Engineering Task Force meeting in Minneapolis in November of 2008, an OAuth BOF was held to discuss bringing the protocol into the IETF for further standardization work. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.

The OAuth 1.0 Protocol was published as an informational Request for Comments (RFC 5849) on April 2010.

OAuth 2.0

OAuth 2.0[1] is the next evolution of the OAuth protocol. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification is being developed within the IETF OAuth WG.

Facebook's new Graph API only supports OAuth 2.0 and is the largest implementation of the emerging standard. [2]

Security

On 2009-04-23 a security flaw in the 1.0 protocol was announced. It affects the OAuth authorization flow (also known as ‘3-legged OAuth’) in OAuth Core 1.0 Section 6.[3] Version 1.0a of the OAuth Core protocol was issued to address this issue.[4]

See also

References

  1. ^ http://tools.ietf.org/html/draft-hammer-oauth2-00
  2. ^ http://developers.facebook.com/docs/authentication/
  3. ^ "OAuth Security Advisory: 2009.1". 2009-04-23. Retrieved 2009-04-23.
  4. ^ http://oauth.net/core/1.0a
Retrieved from "https://en.wikipedia.org/w/index.php?title=OAuth&oldid=363518551"