< Pseudonyms
Next >

OAuth: In RESTful Web Services I wrote over five pages (notably 253-258) of pretty dense prose discussing a problem with web service authentication: the user doesn't trust the client. We generally trust our web browsers to send our passwords to the site we're logging in to, and not also to seedy Russian IRC channels. But we can't extend that same level of trust to a web service client, especially when the client is running on a server we don't control. So how is the web service client supposed to make web service calls on our behalf?

That part of the book is now outdated because I went on to describe a set of equivalent ad hoc solutions to this problem, each created by a different web service provider for their services, with the implication that someone who's not me should get off their butt and come up with an open standard. This has now happened, and the result is OAuth. The people working on the standard are posting introductory guides to drum up interest. The standard is good, I've been pushing it on the companies I consult with, and the time is right to use the NYCB bully pulpit to spread it further. If I were Kenneth Turan I would rave, "The most significant HTTP authentication mechanism since Basic!"

Incidentally, today's the first day of my job, but I don't actually start until tomorrow because it's a holiday.

Filed under:


[Main]

Unless otherwise noted, all content licensed by Leonard Richardson
under a Creative Commons License.