Main
Latest
- tert-Butylhydroquinone Cytotoxicity
- Afrigator / Muti Mashup Idea #1
- hKit and Tidy
- I named the robot (and other stuff)
- Twitter Public Timeline Caching
- Afrigator: Give us an API!!
- Fitna Silenced?
- Fitna The Movie
- Windows 64-bit Update
- Neotel in George
Archives
- June 2004
- July 2004
- August 2004
- September 2004
- October 2004
- November 2004
- December 2004
- January 2005
- February 2005
- March 2005
- April 2005
- May 2005
- June 2005
- July 2005
- August 2005
- September 2005
- October 2005
- November 2005
- December 2005
- January 2006
- February 2006
- March 2006
- April 2006
- May 2006
- June 2006
- July 2006
- August 2006
- September 2006
- November 2006
- December 2006
- January 2007
- February 2007
- March 2007
- April 2007
- May 2007
- June 2007
- July 2007
- August 2007
- September 2007
- October 2007
- November 2007
- December 2007
- January 2008
- February 2008
- March 2008
- April 2008
- May 2008
- June 2008
- July 2008
- August 2008
- September 2008
- October 2008
- November 2008
- December 2008
- January 2009
OAuth: Good or bad?
After my recent mashup idea I started thinking about the actual implementation. The only thing that bothers me about this particular project is the API integration and the security.
The calls to Muti for submitting posts and voting posts up (or down, if that is ever enabled again) will require some user authentication. The same goes for the API call to Afrigator to get the user's MyGator posts.
There are obviously various different ways to do this authentication. I could request that the user give me both their Afrigator and Muti usernames and passwords. However, that will mean I have to store it on my side somehow. Users will not want to input this every single time surely so I'll probably have to keep it in persistent storage. However even keeping it in temporary storage is risky. Obviously I'm not unethical and will go to every length to ensure the security of this information but I also don't want to be burdened with this confidential information. The web server(s) I will be running the mashup on will probably be shared and there's anyway no way for me to guarantee perfect security (or even come close to it) even if I ran it on a dedicated host.
This is one of the issues I have with Twitter at the moment. I don't like it one bit but for each Twitter mashup that requires authentication I will have to give it my original Twitter username and password as that's what the API calls require.
The most common solution to this is to use a "shared secret". This is basically like a randomly generated password that gets used only between two different sites to authenticate API calls. Therefore the user's original username and password on either site does not have to be shared with the other.
In my previous post I hinted at OAuth as that seems to be the upcoming industry standard for API authentication just like OpenID became the industry standard for cross-site user logins.
Although there are quite a few library implementations out there, there are not that many actual implementations. The only place I actually saw it in action so far (although I have to admit that I did not do a lot of searching around the interwebs) in a production environment is between Magnolia and Nsyght. Twitter has been working on it for a long time now but apparently the actual implementation is somewhat more tricky.
Anyway, on the one side I would really like to see both Afrigator and Muti implement OAuth for their API authentication as I figure we would be quite well ahead internationally if we were to do that. On the other side I would not blame Neville nor Stii if they were somewhat reluctant to implement OAuth as it seems to have yet to "prove" itself. The standard is also not one of the simplest and writing your own library might take some time. Using a third-party library that is not too well "settled in" yet might also have its risks.
I was about to send them private mail but then thought it's best to actually do this discussion in public as I think this is of general importance to the industry (internationally) at the moment. I am also looking to use OAuth for various of my own products shortly but I'm somewhat unsure so I would love to hear what other developers out there think. Please let's get a discussion going; blog, comment, go wild. Should we go with OAuth? Invent a simpler specification? Just use plain old usernames and passwords? Would love to hear your thoughts! :)
Copyright © 2004-2009 Charl van Niekerk. All articles are released under the Creative Commons Attribution 2.5 South Africa licence, unless where otherwise stated.
1 Comments
Comment by
factoryjoe on Thursday, April 17, 2008 10:15:00 PM
Probably the best example of OAuth in the wild right now is on Yahoo's Fire Eagle location app and Dopplr.
Considering that the 1.0 spec was only finalized in December, I'd say we're doing pretty on adoption and interest so far, given that it's taken OpenID at least two years to get to where it is... ;)
It's a shame that Twitter hasn't made good on their promise to implement OAuth yet. I realize they have many competing priorities, but the more Twitter apps I see that ask for your username and password, the more I'm seeing the potential for people to learn to be phished.
Anyway, I'd highly recommend using OAuth for your projects -- and contributing to the existing libraries rather than building your own! ;) We need all the help we can get!
Post a Comment