1. OAuthAPI Access Delegation Protocol

2. ContentsWhat is OAuthTerminologies used for OAuthWorking of OAuth protocolUse-cases of OAuthAvailable implementations of OAuthOther similar Vendor specific protocolsLoopholes and drawbacks of OAuth

3. What is OAuthHistoryOAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.What is OAuthProtocol that allows to share private data hosted on x web site with y web siteIts just a skeleton, Implementation can be vendor specific

4. Terminologies used for OAuthConsumerApplication trying to access protected resourceService Providerwebsite or web-service hosting protected resourceUserOwner of the protected dataProtected ResourceImages, Videos or documents hosted on web site or web-service which are protected by the userTokensRandom string of letters and numbers which is unique. Request Token, Access TokenScopeSet of data hosted on service provider that user wants to share with consumer

5. Working of OAuth protocol Site Y is the consumer and site X is service providerSite Y has consumer ID and shared secret provided by site X to all its OAuth consumersUser accesses site Y and wants to share private data hosted on site XSite Y sends the request to site X with Consumer ID and shared secret and asks for Request TokenSite X returns Request Token to site YSite Y redirects user to site X Login service with the request tokenUser enters username/password or OpenID credentials to login to site XSite X validates the credentials, create Access token associated with the request token and redirects the user to site Y with the request TokenSite Y sends the request token to site X asking for Access tokenSite Y gets the access token to access protected resources hosted on site X (Access token is valid only for limited period of time)

6. Use-cases of OAuthUser wants to order prints of the protected photos shared on some photo sharing site see detailsWill be very useful for Mash-upWill help in Data Portability

7. Available Implementations of OAuthGoogle has released open source API to implement OAuthYahoo has come up with Yahoo status application which supports OAuthTripit is the first implementation of OAuth

8. Other Similar vendor specific protocolsGoogle AuthSubYahoo BBAuth (Browser Based Authentication)AOL Open AuthenticationUpcoming APIFlickr APIAmazon Web Services API

9. Loopholes and drawbacks of OAuthTrust on Consumer is key

10. Consumer redirects user to the correct service provider

11. Consumer uses the private only for the specific time period

12. OAuth specifications Skeleton does not define resource and signing algorithms used between consumer and service provider

13. OAuth specifications does not talk about endpoint discovery, language support, XML-RPC supportThank youKiran Thakkar kiran_thakkar@persistent.co.in