OAuth Explained

Mark — Mon, 25 Aug 2008 15:30:14 +0000

A few days I wrote a post about OpenID. There’s another authentication method similar to, but different from, OpenID called OAuth. OAuth stands for Open Authentication and was formed by a committee of users. The original spec for OAuth was released in late 2007. OpenID and OAuth were conceived for the same general purpose, but have little in common.

Imagine you own an expensive luxury car. A night on the town could put you at a fancy restaurant that offers valet service. Instead of giving the valet your owner’s key, you could hand the valet a less privileged key that would only start the car, allow it to be driven for one mile, and also lock out non-essential services (address book, navigation, etc). This is the basic concept of OAuth.

When you pass your username and password to an API, you’re giving it complete access to your account. If the wrong people get a hold of your credentials, they could use it maliciously and potentially lock you out of your account. Giving an API a password that only allows it to perform certain actions is the basis for OAuth and protects your identity from being used by others.

In the social networking world, FriendFeed allows services to interface with the API using a username and key that is separate from the password (Oauth in a nutshell). Other sites that tell you to use a secondary password or a key are operating under the same premise. Twitter also supports OAuth, but has little documentation on using it.

While OpenID mainly controls your information for websites as a whole, OAuth is primarily used for API access delegation. With OAuth, you can share information between websites without handing out your username and password. Neither one can (or should) be used mutually exclusive from the other service. Not all sites support OAuth, but it’s a growing trend that is catching steam.

Interested in a more in-depth analysis of OAuth? Check it out on Hueniverse.

OpenID and Why You Should Use It

Mark — Fri, 15 Aug 2008 15:00:12 +0000

What is OpenID?

OpenID is a decentralized, free, open standard that lets users control the amount of personal information they provide to a website. Simply put, it’s a way to control what personal information you allow sites access to and the ability to control it more easily. When using an OpenID, users authenticate themselves to sites using their OpenID url (aka alice.myopenid.com). Users don’t sign up for certain sites with a traditional username and password, but rather control their identity through their OpenID provider. If you like having multiple logins across the web but not having to sign up with a username and password (and remember them) for each one, OpenID is the solution for your problem. Any website can utilize OpenID authentication, yet very few do.

Why Use OpenID?

OpenID makes website signup and authentication simple and secure. The major benefit of OpenID is that it gives you more control over your online identity while saving you time. When using OpenID, you don’t have to sign up and find a username for each site that supports OpenID. Instead, you use the OpenID identity you’ve already established. Your OpenID allows you to simply remember your OpenID url — it takes care of the rest.

How Does It Work?

When you authenticate yourself to an OpenID enabled site, it makes a call back to your OpenID provider. The provider then asks you to log in to the ID service (if you’re not already). When you’ve successfully authenticated yourself to the OpenID server, it will ask if you want to allow access to the site requesting authentication. You can generally specify that you want to allow access to your identity forever, or for a certain period of time. The provider I’m using, myopenid.com, also shows me when the last time I logged into a particular site was, how many times I’ve granted my ID access to that site, and if I’ve specified to always allow access to the site.

Which Sites Use It?

Some of the bigger names using OpenID include Yahoo, Microsoft, Flickr, AOL, and WordPress. For a more complete list of services, check out the OpenID Directory.

Explanatory Video

This five minute video does a good job of explaining how OpenID interacts with the user and websites.

Where Do I Get One?

There are a number of Identity Providers. I use myopenid.com, but I know others who have used getopenid.com. The site in the video is myvidoop.com. If you have an account on Flickr, Gmail, or Yahoo, chances are you already have one! If not, head over to one of the aforementioned sites to get one.

mark.bockenstedt.net » Security

OAuth Explained

Related Posts

OpenID and Why You Should Use It

Related Posts