Authorisation: Why Social Media Needs OAuth

The cloud needs safe information sharing, not old-fashioned identity management – and that’s where the OAuth protocol comes in

The social media explosion has allowed businesses and individuals to present themselves in many new and interesting ways, but it’s also taken the challenge of managing one’s digital identity from merely “difficult” to something approaching “I give up.”

Whether one uses cloud-based services for content management, marketing and sales efforts, or just sharing photos from a company event, one can’t count on the IT department for help in managing the ever-increasing number of credentials that are necessary.

It’s possible – with the help of a lot of sticky notes – to keep track of a multitude of user IDs and passwords. For the digitally connected, it’s now commonplace to present one’s login from an established site, such as Facebook, Google or Twitter, especially when accessing a service that uses data from one of those online cornerstones.

The little-known OAuth protocol

For most of us, this “just works” and once we’re set up, we go on to sharing photos, or tweets, or whatever. But much of this ability to easily access a service without setting up yet another ID and password rests on a little-known protocol, called OAuth.

OAuth (as in “open authorisation”) traces its beginning to the fall of 2006, when implementers of OpenID, including Blaine Cook, Twitter’s lead developer at the time, Larry Halff of what is now Gnolia, Chris Messina, now with Google, David Recordon of Facebook, and others began discussing ways of delegating authentication through an API.

Within a year, a draft of the core OAuth specification was ready for release. Since then, the specification has had its tires kicked in a number of implementations, and since last year, a working group of the Internet Engineering Task Force (IETF) has hashed over issues that must be resolved before OAuth can be properly considered a standard.

This spring, things really began to move for OAuth. Enough changes had come out of the working group to justify a “2.0” label, which appeared on a fresh draft of the specification that was posted to the IETF wiki on April 22. Earlier that week, Facebook CEO Mark Zuckerberg announced at the company’s F8 developer conference in San Francisco that, as part of the introduction of its Open Graph package, the company was “eliminating the Facebook Connect brand” and implementing OAuth as its chosen authentication method.

At the risk of going overboard, OAuth appears to be the hottest thing in identity management.

OAuth’s supporters often compare the protocol to the valet key of a luxury car. Such a key allows a parking attendant to use the car in a limited fashion, barring access to boots (trunks) or onboard phones, and restricting the operating radius of the car to a mile or two. In a similar fashion, OAuth enables end users to present identity credentials from one site or service, and grant another service access to data on the first site, without exposing one’s password to the second site.