IETF closer to finalizing ID standard to secure mobile apps, APIs

IETF closer to finalizing ID standard to secure mobile apps, APIs

Summary: OAuth 2.0, a key framework for securing native mobile applications and APIs, Monday moved a step from being declared an official Internet Engineering Task Force standard. The authentication/authorization framework, which aids in cloud security, lays out an identity access token exchange in lieu of username and password.

SHARE:
TOPICS: Browser, Security
2

A key framework for securing native mobile applications and API calls using secure identity access tokens Monday took what likely is its last step toward becoming a standard.

OAuth 2.0 was submitted for publication to the Internet Engineering Task Force's steering group, which has authority to deem it an official standard.

The Web Authorization Protocol (OAuth) working group made the submission and the Internet Engineering Steering Group (IESG) put OAuth 2.0 into "In Last Call" status. It is now open for comments until Feb. 6.

"This is a serious step forward," said Stephen Farrell, IETF security area director. "Basically, it means that the OAuth working group considers the documents to be done, and now we're going to see if the rest of the IETF agrees with that."

In addition, the IETF also announced that an Internet-Draft for a specific OAuth token type - called a Bearer Token - has been sent to the IESG for final comments

OAuth 2.0 is an authentication/authorization mechanism, more a framework than a protocol, that lets many different client types securely access RESTful APIs.

Those types of API calls are popular in the cloud for applications to communicate with one another or for clients to talk to apps.

OAuth 2.0 is viewed as an important development for securing mobile computing, including single sign-on for native mobile applications. Users don't exchange username and password data, they use access tokens produced by an authorization server.

The OAuth exchange of secure access tokens can take place between a client-side end-user platform and an application or between applications or services.

Earlier this month, AT&T announced support for OAuth 2.0 in its AT&T API Platform for developers of HTML5 mobile web and native applications accessed via smartphones, e-readers or game systems. The company said OAuth 2.0 is key to protecting its user's privacy when interfacing with non-AT&T apps.

Last week, IBM explained its support for OAuth to secure its social applications. Those two join the likes of Google, Facebook and Salesforce.com who are already using OAuth 2.0 (disclosure: my employer Ping Identity supports OAuth 2.0 in its products).

It is no secret that APIs are becoming an increasingly important way to get at data no matter where it lives. Companies such as Salesforce.com say they now handle more API calls than they do native client calls.

"We've seen significant interest in finishing and using OAuth and also in extending it after these documents are done," said Farrell.

It is not certain when the final OAuth 2.0 approval will come. The next IETF meeting is at the end of March, but Farrell says that might be too soon. He thinks final approval may come this summer.

"It can be hard to predict the timing, but for an important and relatively complex problem like this one I would expect that we'll get a good bit of review and so there will probably at least be some editorial changes to be done," said Farrell.

OAuth has been in development for nearly two years.

The IETF is also working on standards to join OAuth 2.0 and the Security Assertion Markup Language (SAML) that is popular today in enterprise identity management installations and single sign-on between enterprises and software-as-a-service and other applications.

Topics: Browser, Security

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • That SAML/OAuth thing sounds great

    Why'd you link all the specs but the SAML one? ;)

    http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer
    Brian D Campbell
  • RE: IETF closer to finalizing ID standard to secure mobile apps, APIs

    Thanks for the blog.
    jerald76