OAuth: Share Your Ideas, Not Your Password

As we've thought more and more about the big challenges facing the social media world, we've been inspired not just by the communities that use our tools, but by the community of peers that make other great sites and services. That's inspired us to create technologies like OpenID to help with authentication and identity, or to support services using memcached to help scaling. It's also the reason we're working to open the social graph.

What's the next big challenge? Making it safer and easier for all of our applications and services online to talk to each other.

Right now, if you want Flickr to post to your TypePad blog, or you want to connect a client to update both your Twitter account and your LiveJournal, you have to give them the password to your account, giving a third-party free reign on your site. Even worse, on some other services, the password for an account used for blogging or other applications is the same login that controls extremely sensitive information like your email account or credit card systems.

You shouldn't have to give out the password to your email account or access to your credit card just because you want to use two websites together.

So at Six Apart, we're excited to support the effort around OAuth. The OAuth community has just announced a final draft of the 1.0 specification. As more sites are adopting OpenID, all of us who make services have been realizing that the practice of giving your password to another web service or desktop application for API access just doesn't work any more. It was something we had to do at the time out of necessity, but now we've got a better way to do things.

There are some examples to learn from, too: Google, Flickr, Yahoo!, AOL, Amazon, and others have all developed protocols to address this problem on their own services, but developers still had to go and learn each of these systems. And these existing implementations were similar (because they solved the same problem), but different enough in implementation to be a pain in the butt if you wanted to support them all.

OAwesome!

So, OAuth was born. It's been an effort spearheaded by Blaine Cook of Twitter, Chris Messina, and Larry Half of Ma.gnolia who soon invited us and a wider community into the fold earlier this year. In addition to our support at Six Apart, the OAuth community has grown to include supporters from Google, Amazon, Yahoo's Flickr team, and many others, notably Eran Hammer-Lahav, who's done a wonderful job as the final editor for the technical spec.

So how does OAuth work? Read/WriteWeb describes a scenario where you, "could login to Twitter through Twitterific but only give Twitterific access to read and write messages - not to change your user profile page, your password or do anything else that they could in theory do today with full access to your account." The website compares it to a "valet key" for your car, but applied to your online accounts.

Like OpenID's roots, OAuth came from a small group of dedicated people working to solve a real problem. And like OpenID, all these people shared the goal of keeping the protocol as simple as possible while still allowing for flexibility when using it. OAuth really complements OpenID and we believe this new spec is most powerful when used in conjunction with OpenID. Imagine being able to sign-in to Twitter with your OpenID from your Vox blog and grant Vox permission to post an update when you write an entry, all without having to create a new username and password, without having to reveal your existing password, and without clunky workarounds like copying and pasting long API keys. That's a real mashup and illustrates the power of the web itself as an open platform.

Best of all, this new, easier experience for mashing up different websites is something a regular, non-technical user can actually do.

As you might imagine, we're really excited to continue seeing the great adoption of OpenID (the past two weeks included France Telecom and Ask.com's Bloglines) providing tens of millions more people with OpenID identities. Now that OAuth is ready to build upon, our dreams of an open social graph are one step closer to a reality.