Monday, July 10th, 2006
Julien Couvreur has posted on an interesting topic he’s been working with lately (along with Jason Levitt) – API authentication for mashup applications, both Ajax-enabled and not.
Jason Levitt has been teasing me in our discussions on cross-domain requests about Yahoo’s upcoming authentication API. The recurring problem: how to offer web APIs that can be mashed up but involve personal data? You want to allow for a large number of third parties to integrate with your services, but don’t want phishing sites to abuse them.
He starts with a look at the technologies modern browsers offer to accomplish this authentication – the communication and authentication sides – before looking at the way Yahoo! chose to handle it, a browser-based authentication (bbauth) model. It works more like an authentication mechanism than an authorization method, but includes a capability-based security model to help limit things even further.
Julien continues on to describe more fully the implications of this method and why this could be a good thing for web services.
Posted by Chris Cornutt at 7:12 am