OAuth have released what they hope will be the final draft of their 1.0 version. The OAuth spec will create a standardized way for applications to request permission for access to user info from other applications and for info-holding services to communicate clear rules and options for accessing parts of the data they hold.The distributed group of developers working on the Open Authentication spec
The spec got a burst of publicity earlier this week when the widely used feed reader Bloglines announced that they intend to support it in addition to OpenID and the Attention Data standard APML.
In this post I offer a high-level overview of what OAuth does, in as much as I understand it, followed by some thoughts on the concepts from some helpful industry experts.
Why a Standard?
Standards are the railroad tracks to a potential explosion of innovation and OAuth aims to make mashups far easier to develop than ever before. The group of developers took what they believed to be the best qualities from a long list of other authentication protocols and created an open standard they believe will make mashups safer to use and simpler to develop.
What Will This Look Like?
Here's one example of what OAuth might look like. There are lots of services like Twitbin or Twitteriffic that let you use your Twitter account in a much more powerful way outside of the Twitter web page. Those applications ask for your Twitter username and login, though; OAuth will let these apps interact without users exposing their full login info.
In that, OAuth is like OpenID, but this protocol will let services that hold your data offer a set of rules and options for allowing other applications to access selected parts of it. You could login to Twitter through Twitterific but only give Twitterific access to read and write messages - not to change your user profile page, your password or do anything else that they could in theory do today with full access to your account.
Is This Really Going to Happen? Let's Ask Some Experts
Making open standards real doesn't sound like a lot of fun, but the OAuth group seems to have a good start. The spec is being worked on by people from Google, Amazon, Yahoo/Flickr, Six Apart and all the three leading microblogging services. Implementation is expected soon by Netflix, Threadless, Bloglines, Twitter, Jaiku, Pownce, Ma.gnolia and others.
Agreeing on the final draft of the 1.0 spec is likely the last thing companies are waiting on and that's something that's happening a lot faster with OAuth than with OpenID 2.0, for example. Scott Kveton, Chairman of the Board of the OpenID Foundation, told me he thinks OAuth is another exciting move towards data portability and user control. He said that the small group involved in the spec is a real benefit when it comes to speed of development but that they will still have to struggle with IP like copyright before implementation really takes off with large players.
Oren Michels, of the recently funded API management service Mashery, says that OAuth could save his team a lot of valuable time currently spent working with the particulars of each non-standard API. He also told me, though, that many of his customers already have their own APIs built and would not likely go back and make them standards compliant. Ultimately, he said, good APIs are more important than standards compliant ones. In the future, companies that learn about OAuth early in the development of their APIs could implement it if there's sufficient market adoption.
Finally, I talked to John Musser of API super-site Programmable Web. Musser said that he's long argued that security is the number one barrier to further mashup proliferation and OAuth appears to address that well. "Higher value, 'personal mashups' require access to more interesting data than you can get without some secured access," he said, "but of course it's also an area lacking in standards, certainly from the perspective of the current generation of web 2.0 APIs." Musser also agreed with Michels that good APIs are more important than standards; he said that mashups are perfectly buildable today with the current circumstances but that a standard like OAuth could make a big difference by easing the complexity for developers.
Only time will tell whether OAuth has legs - but given the parties participating and the potential power of the standard, it may not take too much time to get a good look into the future.