We've implemented a couple dozen OAuth implementations in the past months, and no two have been the same. We've seen Oauth 1.0a (2-legged,3-legged), Oauth 2.0 (username password, user-agent, web-server flow) with custom token types (bearer,mac, saml). Just to name a few. We wanted to write some posts that discuss factors we see that drive these variances and their implications. We also want to compare and contrast each of these variances along with our own lessons learned.
I've been posting a bit on OAuth best practices recently. But I want to take a step back and talk about why OAuth is important in the first place, why it's difficult, and how to think about it for your API.
“If the minimum wasn’t good enough, it wouldn’t be the minimum.” - Keith W.
Wise words from one of my developers many years ago. When it comes to tackling PCI Compliance, it is advice well worth taking.
With leaks of sensitive customer information in the news, there’s an increased focus on compliance as more services shift to cloud computing and APIs.
If you are a merchant of any kind or deal with customer credit card information then you must be aware of PCI compliance regulations that are designed to protect consumer credit card information from exposure....
Since we first wrote about OAuth 1.0 vs. 2.0 a while back, lots has been happening and lots has changed. The OAuth community has made progress and made changes, and an increasing number of API providers have deployed APIs that use OAuth 2.0. (Similarly, the number of new OAuth 1.0-enabled APIs doesn't seem to be growing.)
We've been busy helping our customers implement OAuth-based APIs, and we've also been watching the process develop. Here are some things that we've learned:
OAuth is a solution -- not technology.
In order for an API provider to support OAuth, a number of...
Part 1: The Web
In the beginning -- way back in the beginning -- the web was all about open access. Tim Berners-Lee and his colleagues focused on making information available, not on protecting it from unauthorized users.
But as time went on, and as Al Gore took the initiative in liberating the government-run Internet backbone for commercial use (really), the Web became about "e-commerce," and e-commerce required security. SSL matured to ensure that sensitive traffic was encrypted all the way from the client to the server and back, and various schemes emerged to allow user authentication.
This is an...
We've been following the fast-moving debate in the IETF regarding OAuth 2.0. OAuth, for those of you who have not encountered it already, is a set of authentication technologies for the Internet designed around the concept of an access token.
Access tokens, in the words of Eran Hammer-Lahav, are like valet keys -- they give the holder access to a specific function, for a specific amount of time. For instance, you might use OAuth to give another web site the ability to read photos from your Flickr profile, but not to modify them....