Hueniverse

I am glad to announce that the OAuth Authentication 1.0 Draft 2 has been released a few minutes ago. It includes many small fixes to make it read better, and a few more significant changes such as RSA support and a new Security Considerations appendix. We also added easier navigation and section numbers to make it easier to use. We will be listening to your feedback over the next 5 days and release the final specification, or publish Draft 3 if needed.

Twitter recently added a very cool and somewhat unproductive way of what I call strolling the social graph (a technical term some folks really don’t like, but offer no good replacement). It is called Blocks and allows you to graphically see who the people you are following follow and what they’re up to. The tool itself is very well designed and fun to use. The idea is that if you are following someone, you might be interested in who they are following too. What is unproductive about it, is that it doesn’t go the extra mile of allowing you to follow people by proxy.

The OAuth specification went through some significant rewrites over the past few weeks and is now, finally, ready for public review. Draft 1 has been posted today, with a planned Draft 2 next week and a final version October 1st. If you have been reading the spec over the past few months, you’ll notice that the workflow has been unified for websites, desktop applications, and mobile devices. We also simplified the signature process and added implementation details. The spec now includes a complete example from beginning to end.

I said before that only Karl Rove can fix phishing attacks and internet security problems that are caused by users laziness and carelessness. We need the man who got George Bush re-elected on a platform of fear. OAuth will provide a (much) better way to share your stuff without sharing your password, but it doesn’t replace passwords.

Even with OAuth, we need to scare people into being more careful and smarter about what they do online. To prove my point: Flickr, Google, and others have great (but proprietary) OAuth like protocols, but sites still ask for your Flickr and Google passwords and you still give it to them. It takes a while before I share my password from one site with another because I don’t trust them.

Let see if I can confuse you a little bit. OAuth, pronounced “Oh Auth”, started as OpenAuth – OpenID’s party-loving cousin. AOL came and took OpenAuth for their own API protocol. It then changed to Oauth pronounced like “Oath” until Pownce’s Leah Culver talked everyone into the current pronunciation (or so the legend goes). Now, OAuth has nothing to do with OATH, the Initiative for Open Authentication over at OpenAuthentication. And if an Israeli tries to explain OAuth to you calling it “Oh Oaf”, don’t take it personally.

Update: JabAbout has been discontinued due to Facebook API changed that have cause it to fail. If you have an interest in taking over the project, please let us know.

JabAbout, our first released product is out! JabAbout is a Facebook application that lets you send short messages, images, and videos to your friends. What is different about it is that your messages – Jabs – do not stop with your friends but continue to their friends and their friends’ friends.

JabAbout tries to use the entire social graph, not just your list of friends, to build useful utilities, something I have been complaining about the lack of. I like comparing JabABout to the Facebook poke utility, but with ability to add a message, and to extend the reach beyond just the one friend being poked.

The JabAbout idea is a byproduct of developing the Nouncer platform. Originally planned as a standalone application, we decided to launch it as a Facebook application instead. We contracted FBFactory.com to build the Facebook application and they did an outstanding job. They were very patient with our requests and had a pretty quick turnaround.

JabAbout is still rough around the edges. Please let us know if you have any problems or ideas. One thing that we know is going to change is the current point allocation algorithm. In JabAbout, you use points to make your Jab reach more people, and earn points by reading Jabs from friends. You start with 50 points and can also set the distance between you and your friends to have better control over who gets which Jab – you cannot send Jabs to specific individuals.

Don’t get we wrong, OAuth is great, or at least I hope it will be considering the number of hours I put in this week into getting the spec ready for prime time. But I’ve been hearing a lot of chatter lately on what OAuth is good for and some of it makes little sense to me. I don’t want to point at specific examples as some of them come from people I truly admire, but they are there. At the Data Sharing Summit, OAuth was thrown into the mix of solutions to problems it had nothing to do with.

This is the first of our new occasional geek humor cartoons. They are all meant to be funny to a small group of people in the know, which in a way makes them even funnier. Of course I cannot draw if my life depended on it – I just write the concept and other talented people bring them to life. ‘OAuth Therapy’ was created by Christopher Carrasco.

Public comments about OAuth are a great opportunity to explain the thinking and goals behind the protocol. Rob Sayre asks about the protocol use of redirection in order to get the user to grant access:

“Maybe I’m missing something, but doesn’t this train users to enter their credentials into web pages they’ve been redirected to?”

First, you are correct. Redirection carries with it some risk of training users to follow a pattern of coming to a login screen without explicitly entering a URL in the browser address box. The basic idea behind phishing is getting the user to a page they think is one thing but is really something else. A link in an email message made to look like your bank is actually a fake page asking you to enter your username and password. When you fall for it, it usually redirects you back to the real bank to enter it again (making you think you just mistyped).

What started as a side conversation at the Data Sharing Summit with Dick Hardt and other cool folks about your online reputation, turned into a new initiative we call SydSid – ‘Shit Stuff YouI’ve Done’. The idea is to have a sort of registry of things you have done online such as blog posts, comments, images, wiki revisions, etc. SydSid just aggregates all the information you choose to publicly link to you SydSid “page”. Other services can use that “page” to extract value about you such as your reputation, community involvement, influence, etc. The basic use case if being able to read someone’s comment on a blog and check out who this person is and what else he or she has written.

Update: For the most recent information about OAuth, subscribe to this blog or check out recent OAuth posts. The technical information in this post is outdated and based on old drafts. It does not represents correctly how OAuth works. Instead, check out the Beginner's Guide to OAuth.

*  *  *

With OAuth 1.0 Draft due out next week, I wanted to introduce the protocol and try to help people understand what it is and what it is trying to solve. OAuth (pronounced "Oh Auth") is mentioned is many blog posts, usually in the context of OpenID and Open Social Networks. While OAuth can play an important role in helping open up closed communities, it is not specific to social networks. The short(est) explanation of OAuth is ‘An API access delegation protocol’. Now for the longer one.

Of the top few hundred most popular Facebook applications, none do more than engage you with ONE of your friends. This is not based on some comprehensive research but from playing around and reading about a few hundred Facebook applications currently available. It is very odd that none of them make use of the most powerful tool available on Facebook (and basically any other social network) - the social graph. Here is the current pitch for a Facebook application: you add the application and now your friends can do something to you, and you can do it back to them. What is the point?