Creating a Safer OAuth User-Experience
Friday April 29, 2011
The amount of personal data stored online is growing every day. But what if a user needs to do something with that data? Perhaps a user wants to use a photo stored with one web service at another web service that creates prints. Downloading the photo and then uploading it to another site may be too much friction for a user. Many web services are implementing the OAuth protocol to solve the problem.
The OAuth protocol describes a way for a web server to establish a relationship with client services (consumers). Consumers can then ask users for authorization to access their information maintained by the web server. The user authenticates directly to the web server and never reveals their actual credentials to the consumer.
Although the OAuth protocol provides a great authorization framework, a lot of specifics are left to the implementer. In an effort to create a safer user-experience, I have written a paper that provides recommendations for the web server and consumer that can be used to protect user data and reduce the amount of trust required between parties so that more relationships can be safely formed. Even if you can't implement all of the recommendations, this paper will help you understand your risks.