Identity Abuzz: OAuth

The community that concerns with Identity in the Web has had a very hectic month of April. Identity is the bedrock foundation of anything social – think 3rd-party value-add services rooted on the social graph that any one of the Twitter, Facebook, Linkedin, etc. expose and promote access to. Among various events, I single out Facebook’s F8 event as the catalyst for several announcements and specs that came out this month.

The emerging OAuth protocol is one of the most interesting sights in the Identosphere. OAuth enables 3rd party access to web resources without propagating or sharing passwords. It has been likened to a valet key, in that resource owners can delegate access along with an envelope of authorized actions.

I have been interested in OAuth for quite some time because it holds potential:

  • to stop to the password sprawl and make it less likely that passwords will be mishanded, either in users’ hands or in the back-end of some poorly managed IT or Clouds (as I observed here in the case of smartphones)
  • to curb phishing vectors by way of branded sign-in pages that the user is redirected to in a seamless user experience
  • to bring devices that are data-entry impaired (like my beloved Roku box) back into the fold of dependable authentication

The OAuth chronology goes like this:

  • Dec ‘07, OAuth 1.0 debuts
  • Vulns documented
  • June ‘09, OAuth 1.0a is introduced addressing vulns
  • Shortly afterwards, OAuth 1.0a implementations become available, chiefly Twitter’s
  • OAuth 1.0a is demonstrated on the iPhone platform, with applications like Flickit
  • May 2009, IETF OAuth Working Group is chartered in the IETF
  • November 2009, folks from Microsoft, Google and Yahoo introduce the OAuth Web Resource Authorization Protocol (WRAP) and contribute it to the IETF.  Chiefly, It standardizes on the creation and propagation of tokens over SSL (in lieu of signatures). Also, it codifies a number of use cases and roles. By far, I found this to be the best-written spec in the whole OAuth document series
  • April 2010, OAuth 1.1 becomes RFC 5849
  • April 2010, OAuth WRAP implementations are announced
  • April 2010, the first revision of the Oauth 2.0 Internet Draft is released; it builds upon both OAuth 1.0a and OAuth WRAP

I’m eager to see how OAuth will do vis a vis with these challenges:

  • Which impact: Will the OAuth protocol be universally implemented to the letter of the emerging IETF standard? Or will there be dialects, each producing an island of interoperability around a specific social graph like Twitter’s, Facebook’s,  Linkedin’s, etc.
  • Set proper expectations: OAuth will not rid us of phishing. There will still be rogue clients and exploits of the client callback URL. However, the risks will provably be contained to loosing the token in lieu of the password (the former being lower-grade security material than the latter)
  • Stand cross currents: XAuth (also announced in April!) and browser-specific solutions like Mozilla’s Account Manager pitch radically different solution points to the web identity challenge

I look forward to being at the Internet Identity unConference, May 17-19th, in Mtn View.

Comments are closed.