Monday, July 10th, 2006
Web API authentication for mashups
<>p> Julien Couvreur has posted on an interesting topic he’s been working with lately (along with Jason Levitt) – API authentication for mashup applications, both Ajax-enabled and not.Jason Levitt has been teasing me in our discussions on cross-domain requests about Yahoo’s upcoming authentication API. The recurring problem: how to offer web APIs that can be mashed up but involve personal data? You want to allow for a large number of third parties to integrate with your services, but don’t want phishing sites to abuse them.
He starts with a look at the technologies modern browsers offer to accomplish this authentication – the communication and authentication sides – before looking at the way Yahoo! chose to handle it, a browser-based authentication (bbauth) model. It works more like an authentication mechanism than an authorization method, but includes a capability-based security model to help limit things even further.
Julien continues on to describe more fully the implications of this method and why this could be a good thing for web services.
Related Content:
Hi Chris,
I’d like to clarify that I’m not working on bbauth. We’ve had some discussion on the topic with Jason, and I’m trying to piece the puzzle together with the little info I have. My post should be considered largely speculation on bbauth at this point, although I believe the high-level arguments still stand.
Cheers,
Julien
bbauth is both an authentication and an authorization technique but it’s not an API and it’s not intended to be a single signon solution. It’s simply intended to be a way to create web sites that use yahoo APIs that use authentication.
We should also make clear that this isn’t publicly available yet — it should become available with the release of the photos API that we announced back in March.