Wednesday, September 29, 2010

The Case for OAuth and Enterprise Software

I've been spending some time lately on OAuth and exploring its applicability for enterprise software and the cloud. To date, OAuth's use cases have been focused primarily on social networking. Yet customers are asking, will OAuth be useful? The answer, I believe, is YES!

But first, some background for those new to OAuth...

What is OAuth?
OAuth is an open authorization protocol used to allow 3rd-party desktop, mobile phone and web applications to access Internet services that are often accessed with a user-id and password or federated sign-on such as OpenID or SAML. The objective, is to get rid of the anti-pattern of asking users to provide their user-id and password to obtain data from a web site or service.

Why should web site owners care about OAuth?
To answer this, I'll suggest an excellent article by Eric Sachs, Product Manager, Google Security, on OAuth Practices. Eric lays out the case for why social networking apps need OAuth. Eric answers key questions like:
  • What does [your company] get out of [OAuth]?
  • What if startups are already pulling data from [your company] without [your] permission?
  • What can [your] company do?
  • What data should we make available via OAuth?
  • and many more.
How did OAuth Originate?
According to Dave Recordon, OAuth was derived from several existing API authorization protocols originating from AOL, Flickr, Google, Microsft, and Yahoo!. Paraphrasing Dave, "The thinking was that building a unified approach to authorization it would reduce burden of implementing any one of these protocols and provide third party applications a more convenient and secure was to access user controlled data."

Work moved quickly and the 1.0 implementation was very successful. But, there was a problem. On the way to a formal IETF specification, a bug appeared that resulted in 1.0a revised specification to fix a threat. Eran Hammer-Lahav tells the story here about the "session fixation attack". The problem was corrected and was subsequently included in the IETF OAuth 1.0 draft (RFC 5849).

OAuth 2.0 - Under Construction
After OAuth 1.0, a new specification emerged called "Simple OAuth" or WRAP. The objective was to take the OAuth concept and apply it to a broader set of use cases. Very quickly both the 1.1 OAuth work and the WRAP work were merged into a combined draft as the IETF OAuth Working Group achieved agreement to work on a new 2.0 protocol. This work introduces many new use cases and protocol flows and is suggestive of a highly useful solution in a broad range of use cases.

OAuth and the Traditional Enterprise Software Market
At the start of this post, I mentioned that YES, I feel that OAuth will be important to the Enterprise Software Market. As with large social media sites, vendors of large enterprise software systems such as ERP, CRM, HCM, also have a community of third-party tools developers that want to integrate with enterprise applications.

At Oracle, I have already noticed the emergence of iPhone and Blackberry apps and the related discussions around the use of passwords in mobile apps. The password anti-pattern is everywhere in enterprise systems and it has to go! Mobile applications are just the first example of enterprise software demanding an OAuth type solution.

Emergence of Cloud Services
As you'll no-doubt have heard, Oracle made a number of announcements recently regarding supporting cloud computing. This has profound implications. As we talk about enterprise software deployed in the cloud, perceptions of risk change because in part, corporate firewalls can't be counted on as the first line of defence. Because the Cloud computing paradigm will put enterprise computing "in the cloud", the demand for 3rd-party application integration with enterprise systems is set to balloon!

Oracle and its competitors now have the same requirements faced earlier by the social networking communities supported by AOL, Flickr, Google, LinkedIn, Twitter, and Yahoo that pitched in their early support for OAuth.

Perfect Storm
The combination of steadily increasing enterprise security requirements, the evolution of user-controlled content, and the emergence of cloud computing represent a perfect storm of demand for OAuth in enterprise software. If OAuth 2 is successful, enterprise support won't be far behind - if not leading the way.

Next Steps
The Oracle Identity Standards team is beginning a phase of increased engagement in the IETF OAuth Workgroup to review and expand coverage of the spec to meet enterprise requirements. The OAuth 2.0 draft specification is definitely headed in the right direction. It seems clear it is time to help support the development of OAuth 2.

In light of this, I am recommending an OAuth Enterprise BOF meeting at the next IIW in Mountain View, California, on November 2-4. The objective will be to talk about whether there are any use-case/technical requirements that need to be addressed in the current 2.0 planned specification. Enterprise feedback needs to happen quickly if we are to make the 2.0 specification timeline.

Here's hoping you can make it!

Phil

6 comments:

Unknown said...

Google's identity team will also be at IIW to discuss Enterprise OAuth use-cases. We are looking forward to meeting more of the people on Oracle's identity team - Eric Sachs

Pat Patterson said...

Hi Phil - here's another great resource from Oracle for folks wanting to work with OAuth in an Enterprise setting: Securing REST Web Services With OAuth

Phil Hunt said...

Pat, thanks for the link. OAuth seems like an important requirement for REST scenarios involving delegation.

Eric...looking forward to the dialog! Prateek and I are planning to be at IIW.

Phil Hunt said...

My colleague, @NishantK, points to another use case from his Catalyst 2010 session. In it he suggests a scenario where a user provides consent for provisioning. http://bit.ly/a7q6cM

cmort said...

Hey Phil - Salesforce will be there to share our experiences with OAuth thus far and participate in any enterprise BOF

Brian said...

A number of us from Ping Identity will also be at IIW and are interested in engaging on this stuff.

Post a Comment