Application development through application programming interfaces (APIs) is just like any relationship -- it’s
all about trust.
The way that trust is developed is through an open authentication standard called OAuth. As Sam Ramji puts it, the “Cambrian explosion of apps” that has happened in the past few years could not have come about without it.
“[OAuth has] become standard practice for people using large social media APIs,” said Ramji, vice president of strategy with Palo Alto, Calif.-based API management company Apigee, “and it’s becoming increasingly more common across enterprise APIs.”
While acceptance of the standard is becoming commonplace, and the term has generated some buzz, not everyone understands exactly what it means.
Scott Morrison keeps it simple in his explanation. The chief technology officer of Vancouver-based API management company Layer 7 uses Facebook and Twitter, both early adopters of OAuth, to describe the term.
“Both [Facebook and Twitter] represent me in one way or the other, and I want to tie those [two] together,” Morrison said. “OAuth is a technology for allowing individuals to build that trust ad hoc between different sites.”
Morrison says the consolidation of accounts in the current Web climate is crucial, but that before OAuth, it was a mess of usernames and passwords that had to be distributed across multiple platforms, leaving gaps in security and making it difficult to keep track of what went where.
“The problem with that is it gave [an application] the keys to the kingdom. The trust you gave was susceptible to collapse if any one party was compromised,” Morrison said. “Instead, what we want is delegated authorization. We want to be able to say to Facebook, ‘Here’s a special credential which gives you limited access to a Twitter account, but you can access the tweets and that’s all.’ A limited subset of functions.”
Exploring OAuth benefits for application development
It is the limited subset of functions that differentiates OAuth from OpenID, which merely provided authentication but did not allow for the management of access rights. Without delegating authorization and managing access rights, OAuth is no different than single sign-on authentication.
While OAuth is a standard, Morrison describes it as anathema to the “big standardization we’ve done in the past.” He describes it as being more of a grassroots movement that has enabled developing.
“The key thing is that it’s allowing developers to be able to integrate multiple applications together using APIs,” Morrison said. “The big revolution going on in development is using standardized APIs to allow applications to talk to applications. OAuth is an important part of that because it’s the piece used for authentication and delegated authorization. It’s the token you use when you make the call from one application to the other.”
OAuth grew out of service-oriented architecture, but like APIs it is simplified, which fits into what Morrison calls the “modern developer zeitgeist” of quick-to-market, agile development.
With that, he adds the addendum that OAuth has not gained acceptance in all quarters, and while it is taking off with early adopters it still exists largely in the consumer-end of the development pool.
“A lot of what people are doing these days in government, military, intelligence community -- groups like that tend to gravitate more to solid standards,” Morrison said. “OAuth in a lot of ways has yet to prove itself in those realms. It has done great work in building apps for iPhones and getting Facebook and Twitter to work together.”
Morrison expects OAuth to have a trickle-up effect and eventually reach more secure development environments.