Chris Messina (aka FactoryJoe), Larry Halff (of Ma.gnolia) and Eran Hammer-Lahav accepted our invitation to join Ted and me and discuss OAuth in our latest Bungee Line podcast.
What is OAuth? From OAuth Getting Started - Part 1, here's the jist of it:
"OAuth allows you to share your private resources (photos, videos, contact list, bank accounts) stored on one site with another site without having to hand out your username and password.
...Users don’t care about protocols and standards – they care about better experience with enhanced privacy and security. This is exactly what OAuth sets to achieve. With web services on the rise, people expect their services to work together in order to accomplish something new. Instead of using a single site for all their online needs, users use one site for their photos, another for videos, another for email, and so on. No one site can do everything better. In order to enable this kind of integration, sites need to access the user resources from other sites, and those are many times protected (private family photos, work documents, bank records)."
Adam Kalsey, summarizes it well:
"OAuth aims to standardize the way in which different consumer systems share data. The goal is to allow a person to give an application access to do some things on your accounts at other sites, but not everything. It’s role-based authorization for APIs."
OAuth is a big idea, but is it a "solution looking for a problem to solve"? I don't think so. The problem for end users today is real, i.e. authorizing one service to access your data by another service for use by the first service, securely and with control. For developers wanting to develop apps and services that create value through the use of customer data stored on other services, there is no standardized means set of protocols to lean on. Instead, developers need to waste time learning a new way for their app to be authorized to do so for each service provider, having to jump through the various specific means and idiosyncrasies of each service.
The current way is broken - too many means to the same end, for end-users, for developers leveraging service APIs and for the service providers themselves wanting to extend their services through web APIs.
OAuth is getting the attention from a number of people and services such as Six Apart and others ("Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, and hopefully Google, Yahoo, and others soon to follow") have committed to run with it. This is good news, but we need to get the word out there and help make developers' lives easier. So, go listen to first OAuth podcast and evangelize OAuth!
Background on Chris, Larry, and Eran
What problem is OAuth trying to solve?
What is the current identity landscape - what are the alternatives, and why is OAuth a better way for all?
How does OAuth work, who should use it?
What's the development experience like?
What's the end-user experience like?
What's the relationship between OAuth and OpenID?
Where is OAuth today?
What will it take for OAuth to succeed?
Who's backing OAuth - adopters?