A few days ago, my colleague Loraine Lawson suggested some reading material on OAuth and security issues. For those of you unfamiliar with OAuth, it's "an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications." It allows for third-party access to Web sources without the need for sharing passwords.
Security issues with OAuth are not exactly new. Last spring, CNET writer Caroline McCarthy reported a security hole in the protocol that "acts as a valet key for users' log-in information, leading services like Twitter and Yahoo to temporarily pull support."
OAuth is trying to fix the security issues. On O'Reilly Radar, David Recordon wrote:
"Last year OAuth transitioned to the IETF as a new Working Group to produce version 1.1 which would be suitable for publication as an Internet Standard. The working group was tasked with reviewing the security and interoperability properties of the protocol, while maintaining as much backwards-compatibility as possible. . . . At the same time, new use cases emerged as well as a significant amount of hands-on experience about the shortcomings and gaps in the 1.0a version of the protocol. A small group of developers herded by Dick Hardt started work on simplifying the protocol, inspired by the OAuth Session Extension proposed by Yahoo!. Originally dubbed "Simple OAuth", it was later renamed to WRAP (Web Resource Authorization Protocol) to reflect the fact that it is a different protocol. It is now known as OAuth WRAP."
"And unlike 1.0a where the server issues and verifies every token, the tokens in OAuth WRAP are short lived and can represent claims issued by an authorization server, providing scale and security benefits for large operators."
Still, there are skeptics about OAuth and how its security issues should be addressed. I'll touch on that topic tomorrow.