I could give my username and password to the client and then it could use direct basic or digest auth, or there could be some sort of handshake protocol \n
But what if the client was actually a nefarious application - giving your username and password to a third party is a security risk, and you’ve also got a problem when you change your password on Twitter, you have to go and change all the passwords on any clients you’ve given it to\n
So what is a better alternative?\n
OAuth =)\n
So what is OAuth, well I think the official website sums it up nicely.\n“OAuth is an open protocol to allow secure API authorisation in a simple and standard method from desktop and web applications.”\n
OAuth enables something I’ve called the love triangle to exist\n
So basically OAuth is a protocol that allows a user to authorise a client to make use of resources that the user owns on a resource server. If you’ve ever signed into Facebook or Twitter from a third party website then you will have seen a screen that says something like “Some application would like to connect to your Facebook profile and would like to know your name, your birthday and your email address”\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
OAuth is a standard that has gone through the Internet Engineering Task Force ratification process.\n
The current stable version is 1.0a which was finalised in April 2010. It’s version ‘a’ because there was a small alteration made very shortly after it was originally finalised that fixed a minor security vulnerability. Implementation was slow because at the time there were some other protocols being thrown around like OpenID. Twitter was probably the biggest proponent of OAuth.\n
Over the past year work on version 2.0 of the specification has been going on and it’s almost finished. When Facebook launched their open graph API it was the first API to make use of this version.\n
\n
So, who is using OAuth?\n
Well, just a few small players on the Internet...\n
Most of these guys started off with v1.0a, but because version 2 is a much more simpler protocol (and despite it not yet being finished) many have already implemented it\n
\n
I did a bit of googling and it looks like there are currently only three HEIs playing with OAuth\n
At Lincoln, we’ve invested a fair bit in it\n