That part of the book is now outdated because I went on to describe a set of equivalent ad hoc solutions to this problem, each created by a different web service provider for their services, with the implication that someone who's not me should get off their butt and come up with an open standard. This has now happened, and the result is OAuth.
The people working on the standard are posting
introductory guides to drum up interest. The standard is good, I've been pushing it on the companies I consult with, and the time is right to use the NYCB bully pulpit to spread it further. If I were Kenneth Turan I would rave, "The most significant HTTP authentication mechanism since Basic!"
Incidentally, today's the first day of my job, but I don't actually start until tomorrow because it's a holiday.
Mon Oct 08 2007 12:48 OAuth:
In RESTful Web Services I wrote over five pages (notably 253-258) of pretty dense prose discussing a problem with web service authentication: the user doesn't trust the client. We generally trust our web browsers to send our passwords to the site we're logging in to, and not also to seedy Russian IRC channels. But we can't extend that same level of trust to a web service client, especially when the client is running on a server we don't control. So how is the web service client supposed to make web service calls on our behalf?
under a Creative Commons License.