DWBP15: On OAuth 2.0

March 30th, 2010  |  Published in Podcasts  |  1 Comment

Work on OAuth2.0 has just begun and we invited David Recordon, one of the participants in the effort, to chat with us about where he sees the effort going.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, 28.5MB, 0:30:08)



  • David Recordon
    • works at Facebook for 6 months
    • on open standards and open source
  • Introduction of OAuth
    • valet key on the web
    • more granular access
    • Example: Twitter
  • How do we make it really easy to develop for it for a wide audience
  • OAuth 1.0 about 3 years ago
  • On OAuth WRAP and OAuth 2.0:Original public WRAP spec from Nov 2009
    OAuth WRAP Internet-Draft from Jan 2010
  • a collaboration started between MSFT, Yahoo and Google
  • similar problem. then called WRAP, then renamed to OAuth WRAP because it’s similar but simpler
  • WRAP relies on SSL, OAuth 1.0 doesn’t require it
  • 3 years ago SSL seemed a bit crazy, now it’s better supported
  • OAuth 1.0 relies on signatures
  • signatures are hard to think about for normal developers
  • SSL is widely deployed. Can we replace Signatures with SSL?
  • this was last fall
  • only public prototype of WRAP was shipped on friendfeed last fall (after IIW)
  • How do we go and combine OAuth 1.0 and the new ideas of WRAP? => OAuth 2.0
  • really easy for developers to implement
  • What are profiles?
  • WRAP introduced different authentication flows
  • Is this easier to implement? What do I need to implement then?
    • the idea is that you have a lot of components which are mixed together
    • not sure if this will be the end result in OAuth 2.0
    • you have to implement at least one of them.
  • Does a negotiation take place?
    • No, it’s simpler than that
    • The client application already knows it’s context
    • based on that you pick the profile
  • What about dynamic discovery?
    • That’s out of scope for now, might be built in the future.
    • might be done in the future
  • client side needs to be as flexible as possible
  • UMA work is interested in utilizing OAuth
  • Profiles are designed to be independant of each other (web appl, mobile app, TV, …)
  • Is profile the right word? Maybe client binding
  • How do OpenID and OAuth2.0 are related?
  • OAuth has no dynamic discovery yet
  • from a philosophical perspective they feel complementary
  • How does FB Connect relate to it?
  • We pretty clearly see OAuth as the direction we want to move to
  • depends on final version etc. of course
  • about 3 weeks ago he sent an outline
  • a week ago he published a draft specification
  • Book
    • working on it the past year on OpenID
    • developer best practices
    • hard to write a book which is not too soon out of date
  • Not sure if WebFinger is easy enough. Too many specifications to read


  1. mrtopf.de » Blog Archive » Mal eben so: Facebook revolutioniert das Web says:

    April 21st, 2010 at 10:31 pm (#)

    […] ist es ein Standard und andererseits ist OAuth 2.0 noch gar nicht fertig (man mag dazu auch dem Interview mit David Recordon von Facebook lauschen, dass wir vor 2 Wochen mit ihm darüber geführt haben). Es bleibt also die Frage, was denn […]