Open Authentication Protocol (oauth) Last Modified: 2008-11-09 Chair(s): TBD Applications Area Director(s): Chris Newman Lisa Dusseault Applications Area Advisor: TBD Mailing Lists: General Discussion: oauth@googlegroups.com Subscribe / Archive: http://groups.google.com/group/oauth/ Description of Working Group: OAuth allows a user to grant a third-party Web site or application access to their resources, without revealing their credentials, or even their identity. For example, a photo-sharing site that supports OAuth would allow its users to use a third-party printing Web site to access their private pictures, without gaining full control of the user account. OAuth consist of: * A mechanism for exchanging a user's credentials for a token-secret pair which can be used by a third party to access resources on their behalf * A mechanism for signing HTTP requests with the token-secret pair The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon the OAuth I-D, that will: * Align OAuth with the Internet and Web architectures, best practices and terminology * Assure good security practice, or document gaps in its capabilities * Promote interoperability In doing so, it should consider: * Implementer experience * Existing uses of OAuth * Ability to achieve broad impementation (e.g., if browser modfications are deemed necessary, this should be coupled with browser implementation) * Ability to address broader use cases than may be contemplated by the original authors * Impact on the Internet and Web The Working Group is not tasked with defining a generally applicable HTTP Authentication mechanism (i.e., browser-based "2-leg" scenerio), and should consider this work out of scope in its discussions. However, if the deliverables are able to be factored in such a way that this is a byproduct, or such a scenario could be addressed by additional future work, the Working Group may choose to do so. After delivering OAuth, the Working Group MAY consider defining additional functions and/or extensions, for example (but not limited to): * Discovery of authentication configuration * Message integrity Goals and Milestones: 12/2009 Submit document(s) suitable for publication as standards-track RFCs.