OAuth at Gluecon

By April 13, 2011Uncategorized

In the wake of my post on identity, it seems fitting to bring up the session we have Paul Madsen doing at Gluecon on OAuth 2.0.

The decision to put Paul on-stage came at the conclusion of Blur. Andre Durand (ping identity) and I were catching up over some cocktails, and because we’re complete nerds, “catching up” meant talking about identity protocols. Somewhere around the third or fourth vodka and whatever, Andre launched into “just how technically awesome Paul Madsen is” in this OAuth webinar he did the other day. I was sold nearly immediately – and I’m sure Paul won’t disappoint:

OAuth – WS-* for REST (without the ‘WS’ and far less ‘*”)

OAuth 2.0 defines an authentication and authorization framework for securing REST-based APIs – more and more a key underpinning of the Cloud. Like the WS-* family of specifications (like WS-Trust, WS-Security, etc) for SOAP Web Services, OAuth defines a model in which clients of REST APIs use security tokens in order to authenticate – these tokens obtained from a separate interaction with a dedicated token issuer. Such token-based authentication offers a number of advantages compared to models in which the client authenticates directly to the API using dedicated credentials – not the least of which is an easier verification and authorization burden for the API. True to the rift that divides SOAP & REST, OAuth is simpler & lighter than WS-*, with (at least so far) fewer moving parts. While born of Web 2.0 (designed to mitigate the so-called password anti-pattern, in which a consumer would be asked to share their password to enable API access to their data), OAuth is emerging as an important technology for the enterprise. mobile, and cloud (and their intersection). This talk will will summarize OAuth evolution & current status, take an in-depth look at the OAuth architecture and related specifications, compare & contrast OAuth to other protocols like SAML, OpenID, etc , and show examples of OAuth in action (even in cases where, dare I say it, the worlds of WS-Trust & OAuth intermix).