OAuth 1.0 to be issued as an Informational RFC
Friday, February 19th, 2010
As a “security guy“, I have been pleased to watch the emergence of the OAuth Working Group within the IETF and the work that is underway to create an actual IETF specification for OAuth. I haven’t had time to participate, but I’m glad to see that work going on.
If you aren’t aware of OAuth, it’s basically a way that you can authorize a application or service to interact with another application or service on your behalf without giving that first application or service your user ID and password for the second service or app.
For example, if you were a Twitter user in its earlier days, every time you wanted to use another application or web service with your Twitter account, you had to give that app or service your Twitter user ID and password. There’s a security issue here in that you are entrusting your credentials to some other company or application – and trusting that they won’t share those credentials. There’s also a configuration issue in that if you change your password you then have to go to all the other services and provide the updated info. Now, with OAuth support in Twitter, when you want to add a new service to interact with your Twitter account, you are prompted to login to your Twitter account and authorize or deny the access for the new service. The key point is that the new service or application never gets your Twitter credentials. (And as another example, OAuth is what our IMified service uses to allow an automated bot to interact with your Twitter account.)
Anyway, OAuth emerged out of the developer community and now there is work underway in the IETF to create official standard specifications to help in promoting OAuth implementation. As a first step, it was announced this week that OAuth 1.0 will be published as an Informational RFC. As noted in the announcement:
The OAuth protocol was originally created by a small community of web developers from a variety of websites and other Internet services, who wanted to solve the common problem of enabling delegated access to protected resources. The resulting OAuth protocol was stabilized at version 1.0 in October 2007, and revised in June 2009 (revision A) as
published at <http://oauth.net/core/1.0a>.
This specification provides an informational documentation of OAuth Core 1.0 Revision A, addressing several errata reported since that time,
as well as numerous editorial clarifications. While this specification is not an item of the IETF’s OAuth Working Group, which at the time of writing is working on an OAuth version that can be appropriate for publication on the standards track, it has been transferred to the IETF for change control by authors of the original work.
This first step will get a base level spec out so that people looking to implement OAuth will have an IETF specification they can use. The RFC hasn’t been published yet, but the draft that will be an RFC is here:
It’s good to see this work going on within the IETF and I look forward to seeing further work there. From my perspective, OAuth is a great step in helping secure connections betweens apps and services over the web… which is good for all of us as more and more moves into the cloud.
If you found this post interesting or helpful, please consider either subscribing via RSS, becoming a fan on Facebook, or following us on Twitter.
RSS Feed
