IETF begins standardising OAuth
The Internet Engineering Task Force (IETF) is setting up a new working group to standardise OAuth. This authentication protocol is intended to make access to users' private resources held by service providers, more secure. OAuth's developers explained the concept at the 73rd meeting of the IETF in Minneapolis. Lisa Dusseault, one of the IETF's managers for the applications area, said that the delegation of authentication would be a central topic in coming years.
Blaine Cook, one of the developers, told heise online that the reason for the development of OAuth was the common tendency for personal passwords to be surrendered in Web 2.0, for example in order to give a print service access to a user's own Flickr database. With OAuth, the user's service provider accepts requests for data access and reacts by requesting the user's approval. When the user approves the release of the selected data, the provider sends a token to the requesting company, the "consumer". Only with this token can the consumer access the authorised data.
The prospect of a unified, widespread standard with consequent broad acceptance has stimulated Yahoo, Google, Myspace, AOL and others to support OAuth. Their own existing authentication protocols, such as BBAuth, FlickrAuth and AuthSub, did not achieve the desired level of support.
The partners in the OAuth consortium are using the protocol for various services. The Wesabe financial management portal combines all the financial expenditures and income of a user, while GoogleHealth enables physicians, for example, to access a patient's medication. Depending on their own requirements, the providers rely on different encryption methods when sending the token. Wesabe relies on SSL connections and sends text in clear. Google initially preferred HMAC-SHA1, but then found its signature management dauntingly complex and now makes more use of RSA-SHA1 for applications designers.
The developers of OAuth were asked by the IETF whether they were prepared to make their existing standard procedure completely available in cases of doubt. "As long as agreement prevails that a modified proposal solves the problem better, we should do it", says Cook. At any rate the seal of the IETF gives the standard more legitimacy. So Cook and Larry Halff, one of the co-authors, are prepared to cooperate with the IETF process. "We'd gladly circulate OAuth beyond the world of Web 2.0."
The growing significance of the delegation of rights management was also discussed in the IETF's Geopriv working group. They are considering whether there should also be a delegation system for location reports so that, for example, a pizza shop can deliver to the correct address. Jon Pesterson, one of those responsible for the Real-time Applications and Infrastructure Area within the IETF, said it was already a reality that users were often unaware that their location data had been passed on to paying customers and companies. In the Geopriv working group, too, many developers saw an urgent need for appropriate standards.