I CAN HAD OPEN: OAuth First Summit a Hit!

Editor's note: This post was originally published on hueniverse: thoughts on technology & open standards.

Icanhazopen_y_2_copy
The first OAuth Summit hosted by Yahoo! last week was a huge success.
Fifty (!) OAuth community members attended, representing 20 companies, large and small, as well as a couple dedicated individuals. The list of companies represented is extremely gratifying to see
considering that OAuth remains a community-driven
effort: Agree2, AOL, BroadOn, Bubble Labs, Eye-Fi, Facebook, Garmin,
Google, LinkedIn, Ma.gnolia, Microsoft, MySpace, Plaxo, Pownce,
SafeMashups, Salesforce, Songbird, Veodia, Vidoop,  and Yahoo!.

The summit would not have been half as good without the help of a few
individuals. Stacy Milman from Yahoo! Developer Network did an
outstanding job organizing the event on behalf of our host, setting the
location, helping with registration, and making sure everything was
just right. Cindy Li designed our super cool schwag: the OAuth T-shirt
and stickers
– look out for the OAuth cat on a laptop or co-worker near you.

Eric Sachs helped create the agenda for the event and organized the demo session that kicked off the rest of the day. Chris Messina set up the wiki and registration page.

The summit started with an update on the OAuth IPR (intellectual property rights) agreement, which is in its final approval stages (more news on OAuth licensing to follow); the current proposal for revising the Core specification; and the list of proposed extensions for the community to consider. The update was followed by a demo session which included:

  • MySpace iGoogle gadget - Joseph Estrada (MySpace) and Dirk Balfanz (Google) demoed the new MySpace iGoogle gadget using Google’s OAuth Proxy to communicate with MySpace's recently announced Data Availability OAuth-enabled APIs.
  • Google Health - Christian Sonntag (Google) showed a test application built on top of the Google Health API, which uses OAuth to protect confidential medical records.
  • PortableContacts – Joseph Smarr (Plaxo) showed a working example of the new Portable Contacts API using OAuth to manage the authorization delegation part of sharing address book information.
  • Pownce iPhone Application – Mike Malone (Pownce) showed how to use custom URI schemes on the iPhone to improve usability of the OAuth authorization flow.
  • FireEagle Authorization Page – Seth Fitzsimmons (Yahoo! Brickhouse) showed how FireEagle implemented the OAuth authorization page and the lessoned learned from building a service with sensitive personal data and complex permissions.
  • Microsoft Live Authentication – Angus Logan (Microsoft) gave a demo of Live Authentication – Microsoft’s OAuth-like protocol – showing the authorization flow as well as advanced features like the ability to authorize multiple resources with different access levels.
  • CrunchBase Application for MySpace – Paul Walker (MySpace) explained how MySpace uses OAuth and demoed the minutes-old CrunchBase application built on top of MySpace Data Availability.

It was great to see real products coming out with OAuth support as well as existing players transitioning to use the protocol. After the demos, we dived into a four-hour technical roundtable session about the future of the protocol. The discussion covered a wide range of topics and included:

  • Scope for the next iteration of the specification and first round of extensions.
  • Token Attributes – providing a standard way to indicate the kind of access being requested and granted.
  • Error Handling – adding error codes to Core to improve interoperability.
  • OAuth Discovery – a mechanism to allow clients to auto-configure the OAuth endpoints.
  • OpenSocial & OAuth – update on how OpenSocial is using OAuth as its official delegation protocol.
  • OpenID + OAuth – a proposal for combining the two protocols for Service Providers who are also Identity Providers.
  • Session Extension – support for large providers allowing easier deployment of OAuth across multiple properties and distributed environments.
  • OAuth for Gadgets – discussion around the Google OAuth Proxy and related extensions such as key rotation and gadget support.
  • Automatic Registration – providing a way for anonymous or automatically registered Consumers.

The day concluded with dinner and drinks and some interesting casual conversations about where the community is headed and projects people are interested in working on. The summit provided much needed energy and got the community excited about the work ahead, which is already taking shape on the OAuth list. If you are new to OAuth or just could not make it to the summit, please join us and participate.

Eran Hammer-Lahav
Open Standards Evangelist