Monday, July 10th, 2006

Web API authentication for mashups

Category: Ajax, Yahoo!

Julien Couvreur has posted on an interesting topic he’s been working with lately (along with Jason Levitt) – API authentication for mashup applications, both Ajax-enabled and not.

Jason Levitt has been teasing me in our discussions on cross-domain requests about Yahoo’s upcoming authentication API. The recurring problem: how to offer web APIs that can be mashed up but involve personal data? You want to allow for a large number of third parties to integrate with your services, but don’t want phishing sites to abuse them.

He starts with a look at the technologies modern browsers offer to accomplish this authentication – the communication and authentication sides – before looking at the way Yahoo! chose to handle it, a browser-based authentication (bbauth) model. It works more like an authentication mechanism than an authorization method, but includes a capability-based security model to help limit things even further.

Julien continues on to describe more fully the implications of this method and why this could be a good thing for web services.

Posted by Chris Cornutt at 7:12 am

3.8 rating from 23 votes


Comments feed TrackBack URI

Hi Chris,

I’d like to clarify that I’m not working on bbauth. We’ve had some discussion on the topic with Jason, and I’m trying to piece the puzzle together with the little info I have. My post should be considered largely speculation on bbauth at this point, although I believe the high-level arguments still stand.


Comment by Julien Couvreur — July 10, 2006

bbauth is both an authentication and an authorization technique but it’s not an API and it’s not intended to be a single signon solution. It’s simply intended to be a way to create web sites that use yahoo APIs that use authentication.

We should also make clear that this isn’t publicly available yet — it should become available with the release of the photos API that we announced back in March.

Comment by Jeffrey McManus — July 10, 2006

Leave a comment

You must be logged in to post a comment.