HomeBlogsalavillipraveen's blog

I CAN HAS OPEN: OAuth Summit 2008

Enable the Subscriptions block here!

Shamelessly copied the title from Eran's blog post on OAuth Summit - hope he doesn't mind. :-)

So the OAuth Summit finally happened yesterday at the Yahoo! campus in Santa Clara, CA. It was great meeting with a lot of other folks that have been working on OAuth for a while now from different companies and organizations.

The Summit started with discussion on the IPR agreement (usual legal stuff) and what's included in the first IPR documents that will be sent out to everyone in the next week or so, followed by self introductions. We then went through several demos of products and applications using OAuth protocol.

The first one was from MySpace folks showing how their new MySpace iGoogle gadget using their new MySpace Data Protocol (MDP) that uses OAuth for allowing the users to link their iGoogle account with MySpace account and thereby allow the iGoogle gadget to have access to MySpace data. Paul Walker from MySpace talked about the MySpace Data Availability APIs and how OAuth protocol is incorporated in them to allow users to control the way their data is exposed to the consumers. (You can check out the sample MySpace app created by the techcrunch guys here: http://www.techcrunch.com/myspace/app.php and more information about the MySpace Data Availability here: http://mashable.com/2008/06/26/myspace-data-availability/)

The second demo was by the Google Health team showing how they support the GData API using OAuth to allow Consumers access to the user's Health information. (The Google guys also announced the support for OAuth yesterday - more information here: http://googledataapis.blogspot.com/2008/06/oauth-for-google-data-apis.html )

The third demo was a demo of a Portable Contacts test client by Joseph Smarr of Plaxo. The tool is hosted @ http://pulse.plaxo.com/pulse/pdata/testClient - it can be used to execute different methods defined in the Portable Contacts API. As you can guess it does use OAuth for obtaining user permissions to access their contacts data.

The fourth demo was by Mike from Pownce.com showing how they have built an iPhone App for Pownce using the iPhone SDK. He walked us through the process of how the App registers the callback url and does the token management using the KeyChain API.

The fifth demo was by the FireEagle (Yahoo!) guys showing the way FireEagle APIs support OAuth protocol, the UI flow and various permission management options.

The final demo was by the Microsoft guys showing how Windows Live ID supports authorization currently without using OAuth.

After a short lunch break, we started the discussions with OAuth versioning. After a long discussion everyone agreed to stay on with the 1.0 version but releasing an updated spec with a new data. Since the updates to the spec are completely backwards compatible, using the same version (1.0) helps in reducing the confusion around who supports what, etc.

The next topic was on token attributes but most of the discussion went around "scope" of the Token (basically Authorization). Clearly there was a difference in opinion between people about whether a Consumer should be able to ask what it needs or the Consumer should get the authorization only when it needs.

The other discussions were mostly about


  • how to combine OpenID and OAuth, while providing better user experience (showing one authorization page instead of two, using OpenID Association information instead of Consumer Key/Secret, etc.)
  • how to support Consumers with no consumer key/secret (the most common use cases are a feed reader accessing user's private feeds and javascript widgets on websites that can be easily copied from one site to another)
  • how OpenSocial uses OAuth in their new OpenSocial REST API (v0.8)
  • how to support Gadgets that use OAuth protected resources
  • most commonly used extensions by different providers
    - Problem Reporting Extension,
    - RSA Key Rotation Extension,
    - Gadgets Extension,
    - XRDS-Simple Discovery Extension, and
    - ScalableOAuth Extension.

You can find information about each of them from the OAuthSummit wiki page.

Overall the Summit was a huge success with good discussions on various topics with different perspectives, agreeing on what's in scope for the OAuth spec update and of course agreeing on what we will work in the next couple of weeks/months to iron out the details on various extensions to bring them to their final versions.

I am very excited to see the way OAuth is being adopted across the industry. Can't wait to get our OAuth support out soon !

» Submitted by alavillipraveen on June 27, 2008 - 1:08pm.