How the OAuth Security Battle Was Won, Open Web Style - ReadWrit. Last Friday was a hot day in Sebastopol, California. Eran Hammer-Lahav rolled into town hours after finding out that there was a security hole in his pet project for the last few months, a new way to use Twitter to log in to third party sites using the OAuth protocol instead of user names and passwords. Working as the Open Web Evangelist at Yahoo, Hammer-Lahav was relieved to have been told about the hole so he could help fix it.
When he arrived in Sebastopol at a small event of industry leaders called Social Web FOO Camp, he talked with friends and colleagues about it. At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too. OAuth has support, but it doesn't have a centralized authority ready to deal with problems like this. The Nature of The Problem How It All Went Down.
OAuth Playground. Important: OAuth 1.0 was officially deprecated on April 20, 2012, and is no longer supported. We encourage you to migrate to OAuth 2.0 as soon as possible. OAuth documentation This document describes how to get started using Google's implementation of the OAuth protocol to authorize a web application's requests for access to a user's data.
If instead your application is installed on a computer or a mobile device, you should read the documentation on OAuth for Installed Apps. Prerequisites This document is written for web application developers using the Google Data APIs to access a user's data. OAuth 1.0 for Google accounts is going away. Schedule for user-visible changes to the approval page: The OAuth authorization process The OAuth authorization process involves a series of interactions between your web application, Google's authorization servers, and the end user. At a basic level, the process is as follows: If the user is not already logged in, Google prompts the user to log in. Mashups: Google's Adoption Makes oAuth a Must Have for All. Open standard based user authentication protocol oAuth has now been implemented across all Google Data APIs, quickly offering this young standard for easy mashups more market validation than it's ever had before.
Eight months ago we wrote about the launch of oAuth 1.0, asking if the standard would lead to a flood of mashups across the web. A standard method of authenticating users across different services means that mashup builders need only write one authentication process, then apply it to all data sources that support the standard. That's hot, and it's now spreading faster around the web than we thought. We discuss what this means for users below. Google's Support Last night the Google Data API blog announced that oAuth is now available for all Google Data APIs, everything from Gmail contacts to Google Calendar to Docs to YouTube. Google had included oAuth into the OpenSocial framework, but there was little indication that app developers were making use of it.
Other Support.