OAuth, or Open Authentication is “an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications”. Basically it’s a way to allow one web application to utilize another without the need for users to worry about pesky authentication keys or the like. It also allows for data interchange without the passing of account credentials. Or to put it another way, OAuth allows a user to grant access to their information on one site, to another site, without sharing all of their identity.
Despite being conceived only a couple of years ago, and notwithstanding that one of the originators of OAuth, Ma.gnolia, had a well publicized and ultimately disastrous story, OAuth saw the light of day around the end of 2007.
In part due to the exposure that they gained from their initial implementers (Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, Google and Yahoo), OAuth has rapidly become the accepted way to authenticate users quickly and easily. I’ve utilized OAuth, OpenID and traditional authentication key methods – OAuth is by far the easiest, cleanest and most elegant solution.
In the past few weeks a number of vendors in the accounting software space have rolled out OAuth space. First FreshBooks announced it had begin supporting OAuth and came out with a strong recommendation that all third-party add-ons to FreshBooks implement OAuth as well as FreshBooks “may eventually require it for all future add-ons”.
Sunir Shah, Chief Handshaker at FreshBooks sees OAuth as the way of the future. He told me that, in his opinion;
Everyone exposing a public API should be using OAuth as their method of authenticating third parties.
As Shah sees it, OAuth gives vendors the ability to protect their customers from a compromised integration, as recently was the case when Twitter shut down OAuth after discovering a vulnerability. OAuth also gives users control over who exactly has access to their data and when.
Shah raised an interesting point for SaaS vendors trying to create an ecosystem surrounding them. As he said;
…these days, everyone wants to build an App Store. Because every access key is a license that you can turn on and off, OAuth makes it easier for your integrations to generate revenue, and that means more and better integrations
Similarly, and in the same week, Xero announced support for OAuth. They did so however under the overarching developer preview release of their version 2 API, a much broader offering that, they say, furthers their aim to become “the Accounting Engine for the Internet”. I’ll post some more detail when it is rolled out en masse but in the meantime (and as an aside) check out one of the early integrations using OAuth, the very cool little time tracker application MinuteDock – built specifically as a Xero add-on.
It’s exciting times in the authentication space – with plenty more to come!
It is nice to see OAuth finally gaining more traction. We considered using it for our API at Intervals but ultimately decided against it for two reasons. 1) It can be cumbersome for developers to implement in their third party apps, thereby reducing it adoption , and 2) it still needs more mainstream traction before we can require our customers to use it.
Once a web-based app has successfully built its API community it can transition towards OAuth in the way Freshbooks has done, and in the way others, including ourselves, will likely follow.