Need privacy ? Go for oAuth

In facebook we can import contact list from our mail accounts ... mmm Do you trust to give away your secret password?

Here comes the saviour ( hope !!)

An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.This API is very useful for the authentication mechanisms enabled by mashups/widgets.It is a Data Portability standard. The authentication method can help to port data between different web apps around.Most of the mashup technology widgets asks for the credentials from users for getting contact list,post links to bookmarks,blogs etc.Using the oAuth the users no longer need to give up their confidential Google accounts user name and password to 3rd party services in order for the 3rd party services to access their data on Google services.I thinks its more than OpenID.oAuth is now available for all Google Data APIs, everything from Gmail contacts to Google Calendar to Docs to YouTube.

Thus oAuth allows you to grant access to your private resources on one site to another site without sharing your passwords..


ReadWritreWeb Says:

Apps that don't use the approved Google user authentication method in short order will be acting like a mail carrier who says they have to have a key to the inside of your house to pick up your mail because they aren't familiar with the mailbox on the front porch.
Read Mashups: Google's Adoption Makes oAuth a Must Have for All Apps says:

Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted –even change your password and lock you out.

This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).

How does it work ?

If there is a service provider X (a mashup/widget/social app/bookmark app....) we have to get the resource data from them.The consumer C can have an app Y ,it can be a 3rd party widget, a desktop app or any other tool which is using the data from the service X. The consumer app Y has to be registered with the service X.

When the user decides to get the data,There will be a dialog between service and consumer getRequestToken(signed) will happen as


Then the user is directed to the service with the token and he is authorized


Then user is send to the consumer site.Then there will be a dialog to exchange the request token for access token


Further communication will be based on this signed acesskey.

So the user neednot concern about the privacy as this form of "contract" exists between the consumer app and the service provider.

oAuth UX Flow :

A number of companies and individuals are working on solutions to this problem including Google, Yahoo and Microsoft, as well as the OAuth project. Initiated by Blaine Cook, Chris Messina, Larry Halff and David Recordon, OAuth aims to provide an open standard for API access delegation. The OAuth discussion group was founded in April 2007 to provide a mechanism for this small group of implementers to write the draft proposal for the protocol.

OAuth is already gaining considerable momentum, with implementations for many popular languages including Java, C#,Objective-C, Perl, PHP and Ruby. The majority of these implementations are hosted by the OAuth project via a GoogleCode repository. Sites supporting OAuth include Twitter, Ma.gnolia ,Photobucket and Google

No comments:

Post a Comment