IETF closer to finalizing ID standard to secure mobile apps, APIs

OAuth 2.0, a key framework for securing native mobile applications and APIs, Monday moved a step from being declared an official Internet Engineering Task Force standard. The authentication/authorization framework, which aids in cloud security, lays out an identity access token exchange in lieu of username and password.

A key framework for securing native mobile applications and API calls using secure identity access tokens Monday took what likely is its last step toward becoming a standard.

OAuth 2.0 was submitted for publication to the Internet Engineering Task Force's steering group, which has authority to deem it an official standard.

The Web Authorization Protocol (OAuth) working group made the submission and the Internet Engineering Steering Group (IESG) put OAuth 2.0 into "In Last Call" status. It is now open for comments until Feb. 6.

"This is a serious step forward," said Stephen Farrell, IETF security area director. "Basically, it means that the OAuth working group considers the documents to be done, and now we're going to see if the rest of the IETF agrees with that."

In addition, the IETF also announced that an Internet-Draft for a specific OAuth token type - called a Bearer Token - has been sent to the IESG for final comments

OAuth 2.0 is an authentication/authorization mechanism, more a framework than a protocol, that lets many different client types securely access RESTful APIs.

Those types of API calls are popular in the cloud for applications to communicate with one another or for clients to talk to apps.

OAuth 2.0 is viewed as an important development for securing mobile computing, including single sign-on for native mobile applications. Users don't exchange username and password data, they use access tokens produced by an authorization server.

The OAuth exchange of secure access tokens can take place between a client-side end-user platform and an application or between applications or services.

Earlier this month, AT&T announced support for OAuth 2.0 in its AT&T API Platform for developers of HTML5 mobile web and native applications accessed via smartphones, e-readers or game systems. The company said OAuth 2.0 is key to protecting its user's privacy when interfacing with non-AT&T apps.

Last week, IBM explained its support for OAuth to secure its social applications. Those two join the likes of Google, Facebook and who are already using OAuth 2.0 (disclosure: my employer Ping Identity supports OAuth 2.0 in its products).

It is no secret that APIs are becoming an increasingly important way to get at data no matter where it lives. Companies such as say they now handle more API calls than they do native client calls.

"We've seen significant interest in finishing and using OAuth and also in extending it after these documents are done," said Farrell.

It is not certain when the final OAuth 2.0 approval will come. The next IETF meeting is at the end of March, but Farrell says that might be too soon. He thinks final approval may come this summer.

"It can be hard to predict the timing, but for an important and relatively complex problem like this one I would expect that we'll get a good bit of review and so there will probably at least be some editorial changes to be done," said Farrell.

OAuth has been in development for nearly two years.

The IETF is also working on standards to join OAuth 2.0 and the Security Assertion Markup Language (SAML) that is popular today in enterprise identity management installations and single sign-on between enterprises and software-as-a-service and other applications.