Scott Kveton

Yesterday the OAuth 1.0 specification was announced as final. This has been brewing for a few months and I’m amazed at the work that Chris and Blaine and the rest of the specification editors that have been working on this.

For those that don’t know, OAuth can best be described from the site itself:

The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials).

The launch of OAuth 1.0 reminds me a lot of the early days of OpenID. A small group of people leading with code and solutions has come together to build a fantastic solution to the API key problem. A light-weight technology that does one thing really, really well. That’s really cool and they did it in record time.

I’ve had quite a few people ask me “Why isn’t this a part of OpenID?” Again, the answer is best explained from the oAuth website:

The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired.

Now, I actually think the two are really complimentary because OpenID doesn’t solve the API key problem. As a matter of fact, it makes it even more difficult. Using OpenID and oAuth together mean we can authenticate via OpenID and hand out oAuth keys to allow out-of-band access for web services or desktop applications. This is fantastic. Now we’re getting some very interesting technologies that are describing the open web.

Congrats to the OAuth crew for getting 1.0 out the door!