Key mobile, API security spec set for IETF approval next week

OAuth 2.0 is already catching fire as the spec to secure native mobile apps and API calls.

The Internet Engineering Task Force is expected next week to approve a key standardized framework for securing native mobile applications and API calls using secure identity access tokens.

The OAuth 2.0 Authorization Framework working group said Monday all outstanding questions on the spec have been answered and it is complete. The spec has been under review by the entire Internet Engineering Steering Group since April.

Now the spec must be reviewed by security area director Stephen Farrell, who said it is likely OAuth 2.0 would be sent next week to the RFC Editor Queue, which signals it is done and ready for publication.

Farrell has indicated in IETF documents that OAuth 2.0 has “enough positions to pass.”

The working group also has submitted a spec for a particular type of security token: The OAuth 2.0 Authorization Framework: Bearer Token Usage.

The next IETF meeting is slated for July 29th, and final approval for both specs could come during that meeting.

OAuth 2.0 is an authentication/authorization mechanism, more a framework than a protocol, that lets many different client types securely access RESTful APIs.

Those types of API calls are popular in the cloud for applications to communicate with one another or for clients to talk to apps.

OAuth 2.0 is viewed as an important development for securing mobile computing, including single sign-on for native mobile applications. Users don't exchange username and password data, they use access tokens produced by an authorization server.

OAuth 2.0 also is a key milestone because it is the foundation for a number of other proposed identity standards. Together the combination of OAuth 2.0 and its derivatives has the chance to dramatically improve security via identity.

OpenID Connect, which is being developed by the OpenID Foundation, is built on the OAuth 2.0 framework and provides features such as authentication. In addition, User Managed Access – a protocol that provides for tight access controls over personal or sensitive data housed in online social, sharing and business sites – is also built on an OAuth foundation.

"We've seen significant interest in finishing and using OAuth and also in extending it after these documents are done," Farrell told ZDNet in January.

OAuth has been in development for nearly two years.

See also:

IETF closer to finalizing ID standard to secure mobile apps, APIs