Yahoo! and Open Standards at f8

Allen Tom at f8

This week, at the Open Standards panel at Facebook's f8 developer conference, I had the opportunity to talk about OAuth, OpenID, and other open standards. I did this with Facebook's David Recordon, Luke Shepard, and Naitik Shah, along with Twitter's Raffi Krikorian. Yahoo! was a very early supporter of OAuth, and we're really happy to see OAuth become the industry standard for API authorization, with support from many service providers including Twitter, LinkedIn, Google, MySpace, Netflix, and now most recently... Facebook.

One of the big themes at the f8 conference was about lowering friction for users to engage with websites. Keeping with this theme, OAuth is about lowering friction for developers to engage with APIs. Before OAuth, developers had to read really bad documentation to learn proprietary terminology, use difficult signature algorithms, and perform weird browser gymnastics just to call an API. Despite the apparent differences, under the covers, all of these proprietary auth schemes were all about the same.



Because it doesn't make any sense for everyone to reinvent the wheel, experts from throughout the industry collaborated to define OAuth 1.0, combining best practices from all the different auths into a standard interface. While a standard auth interface was intended to make things easier, it turned out that many developers found OAuth really hard to use, and Service Providers found OAuth 1.0 hard to implement.

After deploying OAuth, Yahoo!, Google, Microsoft, and others realized that we could use the OAuth Session Extension to make OAuth super easy for developers to use, while solving many of the headaches that Service Providers had with deploying OAuth 1.0.

After brainstorming at the Internet Identity Workshop, we wrote OAuth-WRAP (Web Resource Allocation Protocol), which defined an Auth interface that was so easy that no library was needed. Developers can just manually curl WRAP requests, or type them into their web browser.

On the Service Provider side of things, WRAP far more scalable than OAuth 1.0 for highly distributed SaaS and cloud architectures. We thought that WRAP made a lot of sense, and we contributed it to the Internet Engineering Task Force(IETF), which served as the inspiration for OAuth 2.0.

Yahoo believes that OAuth and other open standards will help keep the web open and interoperable. It's really gratifying seeing the major players and the grassroots community come together to define open standards and portable identities. If you're interested in helping to define the future of Internet Identity using open standards, join us at the Internet Identity Workshop in Mountain View, CA on May 17-19.

Allen Tom
Allen Tom (@Allen Tom)
Yahoo! Membership Architect. Allen likes OAuth.