If you've been following someoftheposts on this blog, you've hopefully drank the kool-aid on the view of identity standards like OpenID and OAuth as the fundamental building blocks for more interesting and interoperable apps on the web. At Yahoo!, we've been thinking hard about the value of adopting open standards instead of pushing proprietary products that have been in existence prior to these standards. We have also been talking to and working with the OAuth and OpenID communities on technical, business, and legal fronts. To put our money where our mouth is, in January 2008, we launched the public beta of the Yahoo! OpenID Provider, with an emphasis on significantly improving the OpenID user experience and allowing users to have the convenience of a single identity without the burden of understanding the technical underpinnings of OpenID.
Today, Ari Balogh (new Yahoo! CTO - see video below) publicly announced the broader Yahoo! Open Strategy at the Web 2.0 Expo keynote session (see Cody Simms' post on the Yahoo! Developer Network blog for the juicy details). A key element of this announcement is that, in the not-too-distant future, we will be supporting OAuth as THE STANDARD for authenticated API access for 3rd party developers that want to innovate on top of Yahoo!'s incredible assets and diverse array of services. This auth mechanism will work with web applications, thick-client (installed) applications, and embedded applications! For those who are not familiar with OAuth, it is a community-driven standard that allows 3rd party developers to securely access APIs that expose user data residing on services like Yahoo!. This is done in a way that:
the user doesn't have reveal his Yahoo! password to the 3rd party application - A good general practice
the 3rd party application only has access to the stuff that is necessary for its use, and nothing else (eg. only access my Address Book, and not my Mail or my billing information) - Scoped access is better than global, unfettered access to all my data
the user can easily revoke access if he no longer trusts or uses the 3rd party application - User is always in control
If you are familiar with Yahoo! BBAuth, you can think of OAuth as a standard way of doing what BBAuth enables. As a developer who's building interesting things on top of Yahoo! APIs and APIs of other companies that support OAuth, you will not need to write a whole lot of custom code to integrate with 'N' different authentication APIs which all essentially do the same thing. Besides, you can take advantage of open source client libraries for OAuth to reduce the time to implement the auth component of your service or mashup - instead, you can focus that time on building features that really delight your users.
Our announcement today represents a big win for the OAuth community's efforts and is a harbinger of even more interesting things in the near future. As always, stay tuned for more...
Found in the community clubhouse reservation form for our neighborhood. I left the evening-time email address field blank. I check my email during the day.
