I've been spending some time lately on
OAuth and exploring its applicability for enterprise software and the cloud. To date, OAuth's use cases have been focused primarily on social networking. Yet customers are asking, will OAuth be useful? The answer, I believe, is YES!
But first, some background for those new to OAuth...
What is OAuth?
OAuth is an open authorization protocol used to allow 3rd-party desktop, mobile phone and web applications to access Internet services that are often accessed with a user-id and password or federated sign-on such as OpenID or SAML. The objective, is to get rid of the
anti-pattern of asking users to provide their user-id and password to obtain data from a web site or service.
Why should web site owners care about OAuth?
To answer this, I'll suggest an excellent article by Eric Sachs, Product Manager, Google Security, on
OAuth Practices. Eric lays out the case for why social networking apps need OAuth. Eric answers key questions like:
- What does [your company] get out of [OAuth]?
- What if startups are already pulling data from [your company] without [your] permission?
- What can [your] company do?
- What data should we make available via OAuth?
- and many more.
How did OAuth Originate?
According to
Dave Recordon, OAuth was derived from several existing API authorization protocols originating from AOL, Flickr, Google, Microsft, and Yahoo!. Paraphrasing Dave, "The thinking was that building a unified approach to authorization it would reduce burden of implementing any one of these protocols and provide third party applications a more convenient and secure was to access user controlled data."
Work moved quickly and the 1.0 implementation was very successful. But, there was a problem. On the way to a formal IETF specification, a bug appeared that resulted in 1.0a revised specification to fix a threat. Eran Hammer-Lahav tells the story
here about the "session fixation attack". The problem was corrected and was subsequently included in the IETF OAuth 1.0 draft (
RFC 5849).
OAuth 2.0 - Under Construction
After OAuth 1.0, a new specification emerged called "Simple OAuth" or WRAP. The objective was to take the OAuth concept and apply it to a broader set of use cases. Very quickly both the 1.1 OAuth work and the WRAP work were merged into a combined draft as the
IETF OAuth Working Group achieved agreement to work on a new 2.0 protocol. This work
introduces many new use cases and protocol flows and is suggestive of a highly useful solution in a broad range of use cases.
OAuth and the Traditional Enterprise Software Market
At the start of this post, I mentioned that YES, I feel that OAuth will be important to the Enterprise Software Market. As with large social media sites, vendors of large enterprise software systems such as ERP, CRM, HCM, also have a community of third-party tools developers that want to integrate with enterprise applications.
At Oracle, I have already noticed the emergence of iPhone and Blackberry apps and the related discussions around the use of passwords in mobile apps. The password anti-pattern is everywhere in enterprise systems and it has to go! Mobile applications are just the first example of enterprise software demanding an OAuth type solution.
Emergence of Cloud Services
As you'll no-doubt have heard, Oracle made a number of announcements recently regarding supporting
cloud computing. This has profound implications. As we talk about enterprise software deployed in the cloud, perceptions of risk change because in part, corporate firewalls can't be counted on as the first line of defence. Because the Cloud computing paradigm will put enterprise computing "in the cloud", the demand for 3rd-party application integration with enterprise systems is set to balloon!
Oracle and its competitors now have the same requirements faced earlier by the social networking communities supported by AOL, Flickr, Google, LinkedIn, Twitter, and Yahoo that pitched in their early support for OAuth.
Perfect Storm
The combination of steadily increasing enterprise security requirements, the evolution of user-controlled content, and the emergence of cloud computing represent a perfect storm of demand for OAuth in enterprise software. If OAuth 2 is successful, enterprise support won't be far behind - if not leading the way.
Next Steps
The Oracle Identity Standards team is beginning a phase of increased engagement in the IETF OAuth Workgroup to review and expand coverage of the spec to meet enterprise requirements. The OAuth 2.0 draft specification is definitely headed in the right direction. It seems clear it is time to help support the development of OAuth 2.
In light of this, I am recommending an OAuth Enterprise BOF meeting at the
next IIW in Mountain View, California, on November 2-4. The objective will be to talk about whether there are any use-case/technical requirements that need to be addressed in the current 2.0 planned specification. Enterprise feedback needs to happen quickly if we are to make the 2.0 specification timeline.
Here's hoping you can make it!
Phil
