Google adds open standard to gadget mashups

The web giant is now using the OAuth open authentication standard in its mini-apps for the desktop and the iGoogle webpage

Google has adopted the OAuth web-authentication standard, an open standard for controlling privacy, for its gadget platform.

If a user has personal information stored on one website, OAuth provides a mechanism for him or her to authorise that website to share the data with another website or gadget. It also makes it possible to do this without the first site having to reveal the user's identity to the second site.

Google announced in June that it was to adopt OAuth for sharing data through its Google Data application programming interface (API). The company said on Tuesday that it will now also use OAuth for Google Gadgets, which are interactive mini-applications for the desktop that show, for example, personalised news feeds or localised weather reports.

The first Google Gadgets to use OAuth are those created by MySpace, AOL Mail and Google Books for the iGoogle personalised webpage.

"We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs," Eric Sachs, Google's senior product manager for security, wrote in a blog post on Tuesday. "In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards."

Sachs added that the new OAuth-enabled gadgets being created for iGoogle would also work on those other sites, including many of the gadgets that Google offers for its own applications. "This provides a platform for some interesting mashups," he wrote.

"It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a social security number or account number," Sachs wrote. "In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorise utility companies to perform direct debit from the user's bank account without that person having to actually share his or her bank account number with the utility vendor."