The first OAuth Summit hosted by Yahoo! last week was a huge success. Fifty (!) OAuth community members attended representing 20 companies, large and small, as well as a couple dedicated individuals. The list of companies represented at the summit is extremely gratifying to see considering the fact that OAuth started and still is a community-driven effort: Agree2, AOL, BroadOn, Bubble Labs, Eye-Fi, Facebook, Garmin, Google, LinkedIn, Ma.gnolia, Microsoft, MySpace, Plaxo, Pownce, SafeMashups, Salesforce, Songbird, Veodia, Vidoop, and Yahoo!.
The summit would not have been half as good without the help of a few individuals. Stacy Milman from Yahoo! Developer Network did an outstanding job organizing the event on behalf of our host, setting the location, helping with registration, and making sure everything was just right. Cindy Li designed our super cool schwag: the OAuth T-shirt and stickers – look for the OAuth cat showing up on a laptop near you. Eric Sachs helped create the agenda for the event and organized the demo session that kicked off the rest of the day. Chris Messina setup the wiki and registration page.
The summit started with an update on the OAuth IPR (intellectual property rights) agreement which is in its final approval stages (more news on OAuth licensing to follow), the current proposal for revising the Core specification, and the list of proposed extensions for the community to consider. The update was followed by a demo session which included:
- MySpace iGoogle gadget – Joseph Estrada (MySpace) and Dirk Balfanz (Google) demoed the new MySpace iGoogle gadget using Google’s OAuth Proxy to communicate with MySpace recently announced Data Availability APIs which are OAuth-enabled.
- Google Health – Christian Sonntag (Google) showed a test application built on top of Google Health API which uses OAuth to protect confidential medical records.
- PortableContacts – Joseph Smarr (Plaxo) showed a working example of the new Portable Contacts API using OAuth to manage the authorization delegation part of sharing address book information.
- Pownce iPhone Application – Mike Malone (Pownce) showed how to use custom URI schemes on the iPhone to improve usability of the OAuth authorization flow.
- FireEagle Authorization Page – Seth Fitzsimmons (Yahoo! Brickhouse) showed how FireEagle implemented the OAuth authorization page and the lessoned learned from building a service with sensitive personal data and complex permissions.
- Microsoft Live Authentication – Angus Logan (Microsoft) gave a demo of Live Authentication – Microsoft’s OAuth-like protocol – showing the authorization flow as well as advance features like the ability to authorize multiple resources with different access levels.
- CrunchBase Application for MySpace – Paul Walker (MySpace) explained how MySpace uses OAuth and demoed the minutes-old CrunchBase application built on top of MySpace Data Avilability.
It was great to see real products coming out with OAuth support as well as existing players transitioning to use the protocol. After the demos we dived right into a 4 hour technical roundtable session about the future of the protocol. The discussion covered a wide range of topic and included:
- Scope for the next iteration of the specification and first round of extensions.
- Token Attributes – providing a standard way to indicate the kind of access being requested and granted.
- Error Handling – adding error codes to Core to improve interoperability.
- OAuth Discovery – a mechanism to allow clients to auto-configure the OAuth endpoints.
- OpenSocial & OAuth – update on how OpenSocial is using OAuth as its official delegation protocol.
- OpenID + OAuth – a proposal for combining the two protocols for Service Providers who are also Identity Providers.
- Session Extension – support for large providers allowing easier deployment of OAuth across multiple properties and distributed environments.
- OAuth for Gadgets – discussion around the Google OAuth Proxy and related extensions such as key rotation and gadget support.
- Automatic Registration – providing a way for anonymous or automatically registered Consumers.
The day concluded with dinner and drinks and some interesting casual conversations about where the community is headed and projects people are interested in working on. The summit provided much needed energy and got the community excited about the work ahead which is already taking shape on the OAuth list. If you are new to OAuth or just could not make it to the summit, please join us and participate.