Sunday, May 22, 2011

Applying the Open Authentication (Oauth) Standard


OAuth (Open Authentication) is an open standard for authorization. It allows users to share their private resources with another site without having to hand out their credentials (username and password).
OAuth allows users to pass tokens instead of credentials for their information. Such token will grants access to a specific site and only for specific resources. Each access will apply only for a defined duration (e.g. the next hour). This allows a user to gain access to third party site.
OAuth is a standard of the Internet Engineering Task Force (IETF). The current version of the standard, OAuth 2.0, defines authorization flows for web applications, desktop applications and mobile phones.
OAuth is completely transparent to the users. The end-user need not know anything about OAuth, what it is or how it works. The user experience is included OAuth implementations in both the site requesting access and the one storing the resources.
SUMMARY
Giving an account password to another party on the network is the same thing as going to dinner and giving an ATM card and PIN code to the waiter.  When it comes to the web, users put themselves at risk by sharing private information.
DoD personnel are making increased use of multiple web sites for social networking. They can log on to each web site using their identity and passwords. But such disclosure reveals information that an intruder could use for implanting malware.  OAuth deals with such a risk by allowing users to hand out tokens that grant limited access for only specific uses and only for a defined time period.
DoD systems designs should start including OAuth in security software that manages access to social computing. Relying on tokens instead on password protected logins will simplify network management and will increase security.

No comments:

Post a Comment

For comments please e-mail pstrassm@gmu.edu