The Coming of Age of OAuth

By Pavel Shub

As the “big players” like Facebook, Google and Twitter have begun adopting OAuth, we will be seeing a more integrated web. For those not aware, OAuth allows a user to log into a 3rd party site using credentials from another website. Furthermore it allows the 3rd party site to perform actions on the other site (post a status update, tweet, check-in, etc.).
From a user’s perspective, the whole process can be innocuous. A user goes to a 3rd party site, clicks on the OAuth login button, is redirected to the OAuth providing site (i.e., Facebook), logs in using his/her credentials, then is redirected back to the 3rd party site. Now he/she can use unique features of the 3rd party site with the OAuth provider credentials.

So who’s doing it? OAuth has been the buzz in the tech world for the past few months. Enough so that that Facebook, Twitter, Google, MySpace, FourSquare, Netflix are in. Although there is no specification regarding what a 3rd party site should or shouldn’t be allowed to do on the OAuth-providing site, most provide enough APIs to replicate a good portion of the site functionality. Twitter and Foursquare allow you to do anything that you can already do through their web interface/app. This is great for developers as they can build their own twitter/foursquare clients. And of course this isn’t just limited to small party sites and applications; Facebook uses OAuth with Google for it’s friend finder feature.

To the end user this is great! Services are now integrated together. Say goodbye to the creation of countless user accounts. Everything could be accessed via your Facebook login. If you want to share something with friends, you can do that via 1 click as opposed to being redirected to the specific OAuth provider’s share page. Aside from simplicity, security gets a benefit. Facebook’s friend finder asks for a user’s email and password so it can access the contact list. With gmail, if your original email account is with gmail, all you have to do is log in and that’s it.

Excitement aside, it can be easy to overlook the potential security/privacy issues. When logging in with OAuth, you are allowing a 3rd party to act on your behalf. So, let’s say you have logged in with Twitter on a 3rd party site – a year later, that 3rd party site could potentially spam tweets from your account. The counter argument states that twitter can then instantly disable any actions from that 3rd party site, but that doesn’t help against the initial occurrence. Another thing to note is that when logging in with OAuth credentials, it is possible to give away all of the personal information available to the OAuth provider. So when logging in with Facebook, the 3rd party site gets the user’s email address, name, location, relationship status, friends, etc… As it becomes easier to integrate services it also becomes easier to spread your personal information unknowingly. None of this is a problem of OAuth specifically, but rather stems from improper implementations.

All in all, OAuth is an excellent tool that will bring a more seamless web in the future. It is possible that we may end up with a central social hub that allows us to control all of our servers. Imagine going to a movie theater and posting a status update from Facebook. It would instantly check you in with FourSquare and post to Twitter. In addition to Netflix learning which movie to suggest to you later. We’ve written about Data Portability before, and looks like OAuth actually won.

  • aDaddyBlog

    Good post, and while I’ve seen similar products, none with so broad a reach off the bat. I recently re-tracted similar 3rd party entanglements with my facebook account when they “over shared”. And this was no fly by night enterprise that did it. It really does warrant some security concern. They literally were able to bypass she security I’d locked down on Facebook and share personal info one could not get directly via Facebook even if you were my friend. So let’s hope OAuth really thinks it through. Integration with Twitter is a no-brainer, but Facebook is a whole other story.