Thursday, January 29, 2009

Google Releases Hybrid OpenID OAuth Extension

Interesting release from Google today, they've released a hybrid OpenID OAuth Extension which they describe as a mechanism to combine an OpenID authentication request with the approval of an OAuth request token. In case you're not familiar with oAuth, it is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and cloud applications.

For consumer developers, OAuth is a method to publish and interact with protected personal data. For service provider developers, OAuth gives users access to their data while protecting their account credentials. In other words, OAuth allows a user to grant access to their information on one site (the Service Provider), to another site (called Consumer), without sharing all of his or her identity.

The new Google sponsored OpenID OAuth Extension describes how to make the OpenID Authentication and OAuth Core specifications work well together. In its current form, it addresses the use case where the OpenID Provider and OAuth Service Provider are the same service. To provide good user experience, it is important to present, to the user, a combined authentication and authorization screen for the two protocols.

This extension describes how to embed an OAuth approval request into an OpenID authentication request to permit combined user approval. For security reasons, the OAuth access token is not returned in the OpenID authentication response. Instead a mechanism to obtain the access token is provided.

If you're interested in looking at some code, check out the working sample using the Google Data PHP client library. The source code is available here.

Core docs here.

#DigitalNibbles Podcast Sponsored by Intel

If you would like to be a guest on the show, please get in touch.