OAuth IETF Charter

Joe Gregorio

[oauth] Another Charter Text Update

    OAuth allows a user to grant a third-party Web site or application
access to their resources, without necessarily revealing their
credentials, or  even their identity. For example, a photo-sharing site
that supports OAuth would allow its users to use a third-party printing
Web site to access  their private pictures, without gaining full control
of the user account.

OAuth consists of:
  * A mechanism for exchanging a user's credentials for a token-secret
pair which can be used by a third party to access resources on their
  * A mechanism for signing HTTP requests with the token-secret pair.

The Working Group will produce one or more documents suitable for
consideration as Proposed Standard, based upon
draft-hammer-oauth-00.txt, that  will:
  * Improve the terminology used.
  * Embody good security practice, or document gaps in its capabilities,
and propose a path forward for addressing the gap.
  * Promote interoperability.
  * Provide guidelines for extensibility.

This specifically means that as a starting point for the working group
OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available
extension  points are going to be utilized. The WG will profile OAuth
1.0 in a way that produces a specification that is a backwards
compatible profile,  i.e. any OAuth 1.0 and the specification produced
by this group must support a basic set of features to guarantee

It looks like OAuth is heading to the IETF, which is great news, but does amuse me since I was told by some of those involved with OAuth that they weren't going to bring it to the IETF since they "wanted to move fast." That was over a year and a half ago.


We did move fast, and shipped early and often. How many specs have seen as widespread success and adoption of OAuth during the same 1 1/2 years?

Now it is time to turn this into a standard, and the IETF process is a great one for that. The fact that it will slow things down now isn't necessarily a bad thing at this point.

If anything, I'd say that the approach taken by OAuth worked rather well, wouldn't you?


Posted by DeWitt Clinton on 2009-02-23


I'll reserve judgment until I see how it compares to what comes out of the IETF.

Posted by Joe on 2009-02-23

comments powered by Disqus