OAuth Explained: Secure API Integration

OAuth is a relatively new open authentication protocol that allows secure API communication without the necessity of continually passing a username and password with each request. The idea for OAuth was conceived in 2006 by a group of individuals working on the Twitter implementation of OpenID. After reviewing both OpenID and other existing industry practices, such as Amazon Web Services API and Flickr API, it was decided that a proposal should be written for a new open protocol for application authentication. The movement quickly gathered momentum, with support heralded by Google, and in July 2007 an initial specification was drafted. We find ourselves using OAuth Core 1.0a today, with a new 2.0 spec being drafted.

How Does It Work?

Here’s a real-world example — one that you may have already come across and not even known it.

Let’s follow the OAuth path of how foursquare sends tweets on your behalf:

  • foursquare has initially registered themselves as an “application” with Twitter. In doing so, they’re provided with a token set called “consumer key” and its paired “consumer key secret.” These are used by foursquare in their application code and as a part of the OAuth model in generating requests.
  • From a user perspective, when you log in to foursquare and click the “please link my Twitter account” button, foursquare uses its consumer key to contact Twitter and generate a “request token.” You’re then provided with a special URL that whisks you off to Twitter’s website.
  • If you aren’t already logged into Twitter, you’ll be prompted to just like always, and then presented with a screen that asks if you’d like to provide said application with access to your account.
  • Clicking “Allow” tells Twitter that this app (foursquare) which has requested access using its particular consumer key should have access to your Twitter account. Twitter then redirects you back to your application (the foursquare website) with an attached coded verification string.
  • The foursquare application then reads the previously generated request token, and takes the returned verification to ask Twitter to generate a final token set called “access token” and “access token secret.”
  • Now when you perform an action on foursquare and it’s tweeted, foursquare calls the Twitter API by creating a request using its Twitter-provided consumer key and the newly stored access token for your account.

And amid all of this, your Twitter username and password are never seen, let alone stored, by foursquare.

By the way, the best graphical representation of this process I’ve found is documented here by Digg.

Data Visualization

data cloud

As a researcher and professional working with accessibility, special needs, education, usability and interaction design, I am constantly searching for better ways to present information. Especially complex and dynamic information.

Web 2.0 has introduced cloud sourced information that defies traditional representations (graphs and pie charts). We as an industry of information technology specialists need to find ways to present interactive information in an understandable, interesting and fun way.

I have written about ManyEyes before as a great idea (in thought, while maybe not implementation) of how to ask society at large how they wish to be presented with this information, hopefully to find a way that works across cultures in way finding and understanding of information.

As I get ready to leave for UPA 2009 Conference in Portland, I am following and connecting with my colleagues who are already there or on their way. This is easily done through Twitter and its myriad of applications. Squidoo List of Twitter Apps.

Over the last couple of years, I have seen several implementations that collect social feeds, but this UPA2009 Twitter Feed’s animation styles are really interesting.

I took that and created a search based on My Tweets

I highly recommend going to The Man in Blue’s VisibleTweets Site and try creating one for yourself.

Educational Technology Twitter Feed

I am creating several RSS, social network and Twitter feeds for Achieve Kids. I thought this was a particularly interesting result.

I funneled it through Yahoo Pipes, which I am finding to be particularly useful when merging several search parameters into one feed.

{“pipe_id”:”8kj1ac453hGX5d4C3rVd_w”,”_btype”:”list”}

Best Technology of Bush Years

govt technology

With Bush finally leaving office, now is a good time to do a quick Tip ‘O’ the Hat to those gadgets and widgets and useful technology that the Bush Administration was able to put in place.

The FBI has built a Most-Wanted widget.

The TSA has an employee blog about security.

The State Department has an internal Diplopedia to help diplomats share information with each other.

The CIA now recruits on Facebook.

Also, the Library of Congress now uses Flickr to show off some of their special collections and documents.

A complete list compiled by Nick Thompson can be found here.

Obama has already received plenty of advice about what technologies he should focus on during his administration.