Authorisation: Why Social Media Needs OAuth
The cloud needs safe information sharing, not old-fashioned identity management – and that’s where the OAuth protocol comes in
Eran Hammer-Lahav, director of standards development at Yahoo and editor of the OAuth specification, explained that everyone wins in this scenario, because “you get to create a best-in-breed application by combining all the different pieces that you prefer. You move around this environment with an identifier that brings with it all this data, or at least, glues it together so that each service can find everything else.”
To the casual observer, this may sound a little like what we were promised with single sign-on (SSO), but that’s not at all the case, said Hammer-Lahav. For one thing, the OpenID protocol would be a better comparison with SSO, and OAuth doesn’t actually require OpenID at all.
For another, OpenID’s usefulness is in maintaining user logins across multiple sites, whereas OAuth removes the need to present that login to any site except the identity provider’s. In practice, OpenID and OAuth complement each other, noted Hammer-Lahav. He added that some of OAuth’s proponents, including Facebook’s Recordon, have suggested treating identity verification as a resource, and thereby redefining OpenID as a layer on top of OAuth.
Why single sign-on solved nothing
Hammer-Lahav claimed that SSO by itself “doesn’t really add that much value, even if you look at enterprise environments.” One of his previous employers “had about 50 different internal systems; they tried to build a single sign-on system for everything and at most, the value was that you didn’t have to remember 50 passwords, but you still had to log in 50 times.”
Finally, he added, SSO functions have been overtaken by the way that people use software; “most users log in because their browsers remember their passwords, and it works pretty well.”
As analyst Michael Coté of RedMonk explained, “integration is the constant challenge with any type of identity management, whether it’s consumer or enterprise. You could have 95 percent of the different services integrated, and no one’s ever going to notice, but they’re going to notice the 5 percent that are not, and they’re going to think that nothing’s integrated.”
In Hammer-Lahav’s view, a simple – yet secure – authentication and authorisation process is essential for applications and services on the Web. “Anything that slows down the login experience is usually bad; it costs you in [lost] users,” he pointed out.
Although one might think that such mechanisms would be of key interest to enterprise security vendors, they’re nowhere to be found for much of the discussion. “Enterprise identity management has kind of dropped the ball as far as advancing identity management,” said Coté. “For the most part, the interesting work in identity management gets done by consumer sites” such as Facebook and Twitter.
Perhaps it’s just as well, because with applications in the cloud, the landscape of identity and security is a world turned upside down. “How much you share is a new question for identity management,” Coté noted. “Identity management, classically, is primarily about security and making sure hackers don’t do something. It’s about making sure the right person does the right thing. Identity management in the Facebook age is exactly the opposite; it’s about making it as easy as possible to share the maximal amount of information.”