Eight months ago we wrote about the launch of oAuth 1.0, asking if the standard would lead to a flood of mashups across the web.
A standard method of authenticating users across different services means that mashup builders need only write one authentication process, then apply it to all data sources that support the standard. That's hot, and it's now spreading faster around the web than we thought. We discuss what this means for users below.
Last night the Google Data API blog announced that oAuth is now available for all Google Data APIs, everything from Gmail contacts to Google Calendar to Docs to YouTube. This means that 3rd party app developers now have one easy, standardized and secure way to authenticate that their users really own the Google accounts they say they do - without the apps asking users for their Google passwords. That data from Google can then be mashed up with any other application interested in leveraging it.
Google had included oAuth into the OpenSocial framework, but there was little indication that app developers were making use of it. Google's recently launched FriendConnect offered website developers disappointingly little access to their users' data - partitioning the Google functionality into an iframe inside participating pages.
We've wondered recently whether oAuth was just a good idea that wasn't really gaining any traction. The list of sites with live oAuth support has been much smaller than we hoped. Now that's changing fast. PhotoBucket offers oAuth support and today SmugMug announced it as well.
We expect to see oAuth authenticating and relying parties spring up all around the web now that coveted Google user data is available through oAuth.
What This Means for Users
There is now no good reason for new applications to ask you for your Gmail username and password in order to access your list of contacts. Don't give it to them - there's a standard, approved way for them to access that data now that doesn't require giving them unlimited access to your entire account.
Apps that don't use the approved Google user authentication method in short order will be acting like a mail carrier who says they have to have a key to the inside of your house to pick up your mail because they aren't familiar with the mailbox on the front porch.
Furthermore, we as users can now expect a thrilling new wave of mashup options that can take secure advantage of our Google data. Google's adoption of oAuth is one of the most significant, tangible moves in support of authentic data portability that we've seen in a long time. App developers should be tripping over each other to make use of this data so that our use of their apps can be made richer, more powerfully useful and engaging. While they are developing to take advantage of Google's oAuth APIs, why not offer some oAuth back out to the world as well? Google's validation of the standard should start a snowball of standards enabled mashups.
We're very excited that Google has taken this step to un-silo our data and support the mutually beneficial ecosystem of mashup developers and users. We're very happy too for the community of oAuth supporters, who have done a great job building and spreading something so needed around the web. Today is a good day for the future of the web.