Can OAuth become de facto standard for Identity Management

Image via CrunchBase

With the advent of the social web, a new level of interconnectedness between content and the content consumers has emerged – a new way of interacting with and accessing content. Washington Post (WP), for instance, can now be accessed through Facebook through WP’s social reader application.

Such an interconnectedness poses new frontiers in innovation and content consumption, there is no doubt about that. On the flip-side, however, this interconnectedness also poses new challenges (and opportunities) for content providers and content curators alike.

Understandably, a greater level of accessibility would lead to privacy issues if content providers had access to all data stored on another website. This obvious challenge in the new social web is overcome by authentication protocols such as OAuth:

“Everyday new website offer services which tie together functionality from other sites [...] a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else [...] you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.”

OAuth is a technology that, in simplest words, “delegates authentication”. That is, it lets users to allow partial access to their data without revealing the identity of the user. Most commonly, this can be seen in action when trying to authorize apps on social websites like facebook and twitter, or when a social network uses your address book to find friends.

OAuth’s flagship website has an interesting metaphor on what OAuth is – Valet Parking:

“Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.”

The advantages provided by a standardized protocol such as OAuth are obvious. In light of multiple APIs, one protocol allowing users greater privacy and accessibility is always more suited. Anybody who has been around the social web scene – which would be most of us – can see the significance and importance of such a standardized platform. A stable and ready to be implemented protocol is available on OAuth’s website, OAuth.net.

It is not a new concept, however: Different websites have their own versions of OAuth (some of these came before OAuth), such as Google AuthSub, aol OpenAuth, Yahoo BBAuth, Upcoming api, Flickr api, Amazon Web Services api and so on. But what OAuth aims to do is standardize the authentication methods on the web.

Image by leahculver via Flickr

Many websites may want to use their own APIs, but if OAuth can innovate fast enough and address a wide range of issues that APIs face today, its adaptation might become more widespread and diverse. From a content providers’ standpoint – it absolutely makes sense to use a standard protocol that “just works” rather than set up an authentication protocol for a new service.

With interminable new services and innovations in the web, such a technology will be in demand – and to a certain extent, it already is. If executed well, as is the case so far, OAuth may see a more widespread use and immense scale.