It took a few years and a few heated discussions to push OAuth 2.0 over the finish line, but less than a year after its standardization the framework is maturing quickly as enterprises and developers tap into its authentication and authorization capabilities.
Last week, at the 16th annual IIW conference, OAuth 2.0 was the focus in a half dozen sessions centered on topics such as client registration, permission controls, and protecting health records. In addition, the OAuth 2.0 mailing list has been very active since the first of the year.
"People are running up against OAuth more in the mainstream instead of just a few major Web services," said Mortezza Ansari, a principal engineer at Cisco who led a session on OAuth at IIW. "OAuth is getting more adoption on the enterprise side, in more business settings, and that brings interesting questions from people working on deployments."
OAuth 2.0 is a framework, so it is natural for architects and developers to formulate, discuss and trial new ideas built on top of it. The spec crawled to approval at the Internet Engineering Task Force (IETF) late last year after late rounds of heated debate.
Websites such as Google and Facebook were early adopters of OAuth, but now the enterprise is getting into the act, especially with the rise in use of mobile devices. With devices, OAuth offers a range of token-based identity and security options, especially in the area of API access to data.
The uptick in activity around OAuth 2.0 also means there are more people looking to build off the OAuth 2.0 framework in order to fill needs around specific access control features.
"Federation is a big thing, lifecycle of client management is among the themes of OAuth conversations [at IIW]," said Ansari.
Single sign-on was another popular topic, said Paul Madsen, who has tracked the development of the framework and is a technical architect in the CTO's office at Ping Identity (Disclosure: Paul and I are colleagues).
"My thesis is that people are doing more complex things with both OAuth and OpenID Connect and they want to talk it through with others to see if they are facing similar challenges," said Madsen.
One identity architect from a large corporation, who asked that his name not appear in print, said OAuth is a powerful set of building blocks. "Now that people are building things, they are figuring out other blocks they need."
He said his company needed some enhancements to the capabilities of OAuth tokens and he has begun to build those and document them via drafts submitted to the IETF.
"A lot of people see the modularity and framework of OAuth 2.0 as a detriment because it's not a single static protocol," said the identity architect. "But the tools it is giving us are very, very powerful."
Where are other areas OAuth is being used? Are you working on a project involving OAuth?