Web Service Authentication APIs

For a project I’m working on, I’ve been looking at a lot of web service authentication/verification APIs lately. I thought folks might be interested in the results. Here are the methods available for a variety of web services/applications online, with links to their appropriate docs:

Web Application Authentication Method
Bebo Custom token
Blogger.com AuthSub
Delicious OAuth (and HTTP Basic)
Digg OAuth
Dopplr AuthSub
Facebook Custom token (Facebook Connect)
Flickr Custom token
FriendFeed OAuth
Google Profiles AuthSub
Last.fm Custom token
LinkedIn OAuth
Mixx OAuth
MySpace OAuth
Picasa AuthSub
Posterous HTTP Basic
Reddit Custom token (modhash)
Tumblr HTTP POST (plaintext password)
Twitter OAuth
Vimeo OAuth
Yahoo OAuth
YouTube AuthSub and OAuth

Interesting stats:

  • 21 web services analyzed
  • 10 (48%) are using OAuth (including YouTube)
  • 5 (24%) are using AuthSub (also including YouTube)
  • Dopplr is the only non-Google property using AuthSub
  • Tumblr is the only property using plaintext passwords, although Posterous is using HTTP Basic, which is basically plaintext

Looks like OAuth is gaining some real traction, and in fact if Google switched over to using it, it’d have a real hold on the authentication space. That would probably be a good thing. Next up in my adventure will be seeing how truly conformant/compatible all these OAuth implementations are, and how portable my code be able to be in accessing them all.

If you’d like to add any others that you know about, please throw them in the comments and I’ll add them to the table above so everyone can find them.

  1. westi said:

    Note that these APIs are for Authorization not Authentication – these are two different things!

    It seems that the twitter OAuth api gets particularly misused as an authentication rather than authorization api which is a pet hate of mine – so many websites ask you to log in with your twitter identity when actually they are asking for authentication to 'impersonate' you to twitter (and hence get access to all your data stored by twitter – PMs etc.)

    • beaulebens said:

      That's a very good point. In most of the cases above, there's no such thing as a pure authentication API, although I guess depending on the privileges your application requested (especially for something like OAuth), then it could act as an authentication API if it was just "verify your account details" privileges.

  2. Ryan McCue said:

    The problem with OAuth in open source PHP-based software is that you have to either distribute the key (bad), force users to get their own key (worse) or make your own proxy (bad for server load). I'm yet to find a good way to do this, which is why I'm still using the old basic auth API with Twitter. :/

    • beaulebens said:

      Yeah that's a major stumbling block actually. Not sure that there's a good solution to it given the way that OAuth works. For part of what I'm doing, it's looking like I might have to use the HTTP Basic approach, as much as I hate that.

  3. wp-popular.com » Blog Archive » Web Service Authentication APIs « Dented Reality

  4. Max’ Lesestoff zum Wochenende | PHP hates me - Der PHP Blog

  5. Hwallpapers said:

    Great analysis for the peoples who want to explore about web service , i am just searching the best to use for my own website i would like to use OAuth as rayan said its in PHP, i dont think so i can create issues in future.

Comments are closed.