OAuth, or Open Authentication is “an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications”. Basically it’s a way to allow one web application to utilize another without the need for users to worry about pesky authentication keys or the like. It also allows for data interchange without the passing of account credentials. Or to put it another way, OAuth allows a user to grant access to their information on one site, to another site, without sharing all of their identity.

Despite being conceived only a couple of years ago, and notwithstanding that one of the originators of OAuth, Ma.gnolia, had a well publicized and ultimately disastrous story, OAuth saw the light of day around the end of 2007.

In part due to the exposure that they gained from their initial implementers (Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, Google and Yahoo), OAuth has rapidly become the accepted way to authenticate users quickly and easily. I’ve utilized OAuth, OpenID and traditional authentication key methods – OAuth is by far the easiest, cleanest and most elegant solution.

In the past few weeks a number of vendors in the accounting software space have rolled out OAuth space. First FreshBooks announced it had begin supporting OAuth and came out with a strong recommendation that all third-party add-ons to FreshBooks implement OAuth as well as FreshBooks “may eventually require it for all future add-ons”.


Sunir Shah, Chief Handshaker at FreshBooks sees OAuth as the way of the future. He told me that, in his opinion;

Everyone exposing a public API should be using OAuth as their method of authenticating third parties.

As Shah sees it, OAuth gives vendors the ability to protect their customers from a compromised integration, as recently was the case when Twitter shut down OAuth after discovering a vulnerability. OAuth also gives users control over who exactly has access to their data and when.

Shah raised an interesting point for SaaS vendors trying to create an ecosystem surrounding them. As he said;

…these days, everyone wants to build an App Store. Because every access key is a license that you can turn on and off, OAuth makes it easier for your integrations to generate revenue, and that means more and better integrations

Similarly, and in the same week, Xero announced support for OAuth. They did so however under the overarching developer preview release of their version 2 API, a much broader offering that, they say, furthers their aim to become “the Accounting Engine for the Internet”. I’ll post some more detail when it is rolled out en masse but in the meantime (and as an aside) check out one of the early integrations using OAuth, the very cool little time tracker application MinuteDock – built specifically as a Xero add-on.

It’s exciting times in the authentication space – with plenty more to come!

CloudAve is exclusively sponsored by

Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

  • Indeed it is a very clean and tight protocol for authentication workflow to establish delegated access. Xero’s implementation however seems to be lacking on anunber of fronts. They don’t make it easy for multi-tennant platform developers to build closed loop auth using a callback, and their 30 minute access token expiry creates a bizarre user experience. Hoping that Xero are listening to their “uservoice”!

  • Hi Wasabhi,
    We’re aware of the piece of the OAuth jigsaw missing from the Xero implementation at this time. As the lead developer on the project I can assure you that we had a few discussions as to if we would do the developer preview as we knew our primary response would be noticing the lack of permanent access tokens.

    First we want to assure that the permanent access via the API is coming, bus as I hope you can recognise we treat customer privacy as our number one concern so we wanted to make sure that adequate safeguards are in place before releasing such support.

    Also the lack of modifiable callback urls was an oversight and I have to admit that was just a mistake that we’ll be rectifying soon.

    We do listen to uservoice and use that as a primary means of prioritising.

    OAuth is a great protocol and with an increase in use the libraries are going to only get better. OAuth is currently going through ratification at the Internet Engineering Task Force, which will make the protocol more an integral part of internet security.

    OAuth is still young so we thought it important to get the developer preview version of the API out so that people can get used to the workflow and security mechanisms behind OAuth.

    Many thanks
    Owen Evans

  • Owen thanks for your prompt response. I’m really impressed to see that you’re actively engaged and listening to constructive feedback given to the developer preview release. My point of view is based on frustrations caused by working with your current implementation … looking forward to seeing the introduction of structures that are clearly defined in the current oauth spec – in the interests of both user security and user experience. I have made suggestions in the uservoice forum to specify a root callback domain during the creation of consumer credentials – subsequently all callback URLs specified during each authentication event need to originate from subdomains of this root domain. The use case here is of course for consumers originating from multi-tennant architectures where callback URLs vary. This could achieve a higher level of security whilst accommodating a use case that is likely to be more common in the future. For the record Owen – my comment was not questioning your motivation to provide the very best level of user security and privacy…

    Great to hear from you …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.