Monday, July 10th, 2006
Web API authentication for mashups
Julien Couvreur has posted on an interesting topic he’s been working with lately (along with Jason Levitt) - API authentication for mashup applications, both Ajax-enabled and not.
Jason Levitt has been teasing me in our discussions on cross-domain requests about Yahoo’s upcoming authentication API. The recurring problem: how to offer web APIs that can be mashed up but involve personal data? You want to allow for a large number of third parties to integrate with your services, but don’t want phishing sites to abuse them.
He starts with a look at the technologies modern browsers offer to accomplish this authentication - the communication and authentication sides - before looking at the way Yahoo! chose to handle it, a browser-based authentication (bbauth) model. It works more like an authentication mechanism than an authorization method, but includes a capability-based security model to help limit things even further.
Julien continues on to describe more fully the implications of this method and why this could be a good thing for web services.
Hi Chris,
I’d like to clarify that I’m not working on bbauth. We’ve had some discussion on the topic with Jason, and I’m trying to piece the puzzle together with the little info I have. My post should be considered largely speculation on bbauth at this point, although I believe the high-level arguments still stand.
Cheers,
Julien
bbauth is both an authentication and an authorization technique but it’s not an API and it’s not intended to be a single signon solution. It’s simply intended to be a way to create web sites that use yahoo APIs that use authentication.
We should also make clear that this isn’t publicly available yet — it should become available with the release of the photos API that we announced back in March.