Last week, on behalf of the OAuth community, Eve Maler accepted an award for Best new or improved standard at the European Identity Conference 2009 (EIC), in Munich:

The European Identity Award for the category “Best new or improved standard” went to the Aristotle Project for ArisID, an important enhancement of IGF (Identity Governance Frameworks) and CARML, which enhances user-friendliness of these important standards for IAM and GRC. This particular innovation had been promoted and supported by Oracle. The standardization initiative OAuth (Open Authentication) receives an award for their streamlined approach for authentication standardization, which finds a lot of market interest. The last award in this category goes to the Information Card Foundation (ICF) for standardizing the important approach of Information Cards for future identity management.

As Eve happened to be at the conference, she received authorization on behalf of community to accept the award. We haven’t quite figured out what we’ll do with it (being that we’re a virtual, placeless entity!) but we appreciate being recognized all the same!

While the merits of several solutions to the OAuth session fixation vulnerability are still being hashed out on the wiki, I wanted to share the latest episode of theSocialWeb.tv, captured yesterday on location at Google’s headquarters in Mountain View, providing some background and technical details about the problem, as told by Eran Hammer-Lahav, who has been coordinating the community’s response.

Marshall Kirkpatrick of ReadWriteWeb also has a great write-up of the timeline of events that lead to the discovery of the issue, shedding more light on how quickly the community mobilized to confront this threat.

There have been no known exploits so far and for the past several days the OAuth community has been coordinating a response with as many known providers as possible to help them understand the threat and deploy whatever mitigating factors they can.

We’d like to publicly show our appreciation for Twitter’s role in helping to minimize premature publicity of this threat, even at its own expense, taking the heat as if it was their own issue in order to allow other companies to address this threat.

We ask that people refrain from speculating about or publicly discussing the actual details of this or other threats before we have released an official statement this evening at midnight, PST on the OAuth website.

If you have any immediate concerns, please contact the vendors or Eran Hammer-Lahav directly at 408 596 1974 or eran@hueniverse.com (he is the community coordinator for this threat).

From their press release:

Online travel itinerary and trip planning service TripIt (www.tripit.com) today announced the availability of a new API (Application Programming Interface) for developers to create software applications that integrate with TripIt travel itineraries. The TripIt API is the travel industry’s first open API for sharing travel itinerary information between travel websites, travel suppliers, travel agents and related travel services. TripIt is an open travel platform that already supports bookings from more than 350 travel-related sites and works with partners including LinkedIn, Microsoft Windows Live and Sabre VirtuallyThere. With the new TripIt API, any developer can now build an application that integrates with TripIt, including the first ones from Expens’d, FlightTrack and Where I’ve Been. Developers can access the TripIt API at www.tripit.com/developer.

…

This first version of the TripIt API enables applications to read, add or delete trip plans in TripIt, while allowing TripIt travelers to control how applications access and use their data. More details at www.tripit.com/developer.

Pelle Braendgaard posted to the OAuth Ruby list today announcing the that the 0.3 version of the OAuth Ruby Gem has been released:

This is the community barn fixing release of the OAuth Gem. The primary purpose of this release is to fix all the little issues people have discovered while actually using OAuth in the real world.

A concerted effort has also been made to create much better testing of all the low level operations, such as encoding, normalization etc. There are much improved tests that follow the spec closely.

There is also a new oauth command line utility, which makes it easy to test oauth requests from your shell.

The official home page of the ruby library is:

http://oauth.rubyforge.org/

The main git repository is:

http://github.com/pelle/oauth/tree/master

Many people have been involved in this release, here are the primary contributors and the changelog:

• Support ActionController::Request from Edge Rails (László Bácsi)
• Correctly handle multi-valued parameters (Seth)
• Added #normalized_parameters to OAuth::RequestProxy::Base (Pelle)
• OAuth::Signature.sign and friends now yield the RequestProxy instead of the token when the passed block’s arity is 1. (Seth)
• Token requests are made to the configured URL rather than generating a potentially incorrect one. (Kellan Elliott-McCrea)
• Command-line app for generating signatures. (Seth)
• Improved test-cases and compatibility for encoding issues. (Pelle)

The REST API uses standard OAuth authentication to allow applications to safely access the Netflix service on a subscriber’s behalf without requesting his user name or password. A simpler subset of OAuth can be used to access REST API resources that do not require subscriber authorization, such as the catalog.

At the time, it wasn’t necessarily clear what this meant, or where we would see OAuth get used.

A few months later, it’s clear that OAuth is under the hood in “activation” transactions on the TiVo, the Xbox and the Samsung Blu-ray player.

And today, in David Pogue’s NYTimes column announcing the winners of the fourth annual Pogie Awards, Netflix’s innovative service was given top billing:

NETFLIX AS A SOFTWARE FEATURE “There’s a reason we didn’t call the company ‘DVDs by Mail,’ ” Netflix’s chief executive, Reed Hastings, often says. And sure enough: no DVDs are involved in Netflix’s latest assault on the American home theater. With Netflix Instant Viewing, there are no time limits, no copy protection, no waiting for movie files to download; the movie simply streams from the Internet as you watch.

You’re not billed by the movie; in fact, you’re not billed at all. Unlimited streaming movies are free with any DVD-by-mail plan over $9.

Originally, you had to watch on your computer (Windows, and now Mac). But who wants to watch movies sitting at a desk?

Bit by bit, Netflix has been bringing this feature to your TV by cleverly piggybacking on other companies’ set-top boxes. Netflix Instant Viewing is now a feature of the TiVo, XBox 360, and Blu-ray players from LG and Samsung. Or you can get Roku’s $100 Netflix Player box, which does the job beautifully all by itself.

The 12,000 available movies generally aren’t recent ones. But there’s a lot to be said for instant gratification, especially when it’s free.

It’s worth recognizing that this experience was crafted using open technologies like OAuth and ATOM. And for the end user, the experience is as seamless and smooth as one would hope, or more likely, expect.

Cheers, Netflix!

In an effort to make it easier to debug your OAuth calls — and interact with Google’s OAuth-protected resources — Google Data APIs engineer Eric Bidelman released the OAuth Playground today along with a comprehensive article on using OAuth with the GData APIs.

Along with the article and playground, Google now supports HMAC-SHA1 signing.

The first is a component for CakePHP for accessing services with OAuth called OAuth component for CakePHP (points for creativity!).

Second, Madgex has released a new open source OAuth library for .NET (also released under the MIT License), along with some interesting demos using Fire Eagle, the Google Contacts API and microformats. Documentation is here.

Good stuff!

Iron Money’s API allows developers to build tools that leverage the financial data they upload to Iron Money. The API gives developers read, write, and delete access to all of the data they store in Iron Money. The API features OAuth for authorization and OpenID support will be coming sometime in the next few months.

Documentation is available as well as a PHP-based client library for interacting with the service.

If you want to sign up and give it a try, free registration is now open (as Chasen said, OpenID is coming soon).

Specifications are tricky creatures. On their own, they are only copyrightable. But on their own they are also not very interesting. Their value is in their implementations, and those are subject to patents. If you have been following the tech world over the past couple of year, you know that patents can be very risky to developers. The problem is that in order to implement specifications, the developer usually has to write code that uses some existing patents. It is practically impossible to know which patents are involved, but at a minimum, the developers need to know that the people who wrote the specification are not going to sue them.

Over the past 8 months we have been working to obtain the necessary protections for the community, to be able to freely implement the OAuth Core 1.0 specification without any fear of being sued by any of the people involved (or their employers). Unlike specifications done in standard bodies where Intellectual Property Rights (IPR) are established ahead of time and set the scope and terms of the work, community specifications start with ideas and goodwill. This is a fundamental difference and a requirement for future community work. The need for the Open Web Foundation grew out of the frustration of communities like OAuth and OpenID having to go through hell to obtain these legal protections. In the next few months, the Open Web Foundation will offer tools and help communities avoid this painful process and focus on writing good specifications, not legal contracts.

Some of you will notice the new addition to the OAuth specification – the License section! A short paragraph detailing the licensing terms of the specification and providing links to the legal agreements. That short addition took hundred of hours and the dedication of many individuals and companies. Guaranteeing the open availability of this work is critical for small and large companies alike. Not everyone cares about this the same way and there are already implementations of OAuth out there. IPR risk is something very specific to each company and its culture, but this effort will help provide equal access to this important building block. It is not absolute protection – there is no such thing – but it is pretty good!

The community owes Eran, Gabe Wachob, DeWitt Clinton, David Recordon, Larry Halff, and Shreyas Doshi a great debt of gratitude for their hard work ensuring that the future of OAuth remains open and unencumbered.