For a project I’m working on, I’ve been looking at a lot of web service authentication/verification APIs lately. I thought folks might be interested in the results. Here are the methods available for a variety of web services/applications online, with links to their appropriate docs:
| Web Application | Authentication Method |
|---|---|
| Bebo | Custom token |
| Blogger.com | AuthSub |
| Delicious | OAuth (and HTTP Basic) |
| Digg | OAuth |
| Dopplr | AuthSub |
| Custom token (Facebook Connect) | |
| Flickr | Custom token |
| FriendFeed | OAuth |
| Google Profiles | AuthSub |
| Last.fm | Custom token |
| OAuth | |
| Mixx | OAuth |
| MySpace | OAuth |
| Picasa | AuthSub |
| Posterous | HTTP Basic |
| Custom token (modhash) | |
| Tumblr | HTTP POST (plaintext password) |
| OAuth | |
| Vimeo | OAuth |
| Yahoo | OAuth |
| YouTube | AuthSub and OAuth |
Interesting stats:
- 21 web services analyzed
- 10 (48%) are using OAuth (including YouTube)
- 5 (24%) are using AuthSub (also including YouTube)
- Dopplr is the only non-Google property using AuthSub
- Tumblr is the only property using plaintext passwords, although Posterous is using HTTP Basic, which is basically plaintext
Looks like OAuth is gaining some real traction, and in fact if Google switched over to using it, it’d have a real hold on the authentication space. That would probably be a good thing. Next up in my adventure will be seeing how truly conformant/compatible all these OAuth implementations are, and how portable my code be able to be in accessing them all.
If you’d like to add any others that you know about, please throw them in the comments and I’ll add them to the table above so everyone can find them.
Note that these APIs are for Authorization not Authentication – these are two different things!
It seems that the twitter OAuth api gets particularly misused as an authentication rather than authorization api which is a pet hate of mine – so many websites ask you to log in with your twitter identity when actually they are asking for authentication to 'impersonate' you to twitter (and hence get access to all your data stored by twitter – PMs etc.)
That's a very good point. In most of the cases above, there's no such thing as a pure authentication API, although I guess depending on the privileges your application requested (especially for something like OAuth), then it could act as an authentication API if it was just "verify your account details" privileges.
The problem with OAuth in open source PHP-based software is that you have to either distribute the key (bad), force users to get their own key (worse) or make your own proxy (bad for server load). I'm yet to find a good way to do this, which is why I'm still using the old basic auth API with Twitter. :/
Yeah that's a major stumbling block actually. Not sure that there's a good solution to it given the way that OAuth works. For part of what I'm doing, it's looking like I might have to use the HTTP Basic approach, as much as I hate that.
wp-popular.com » Blog Archive » Web Service Authentication APIs « Dented Reality
Max’ Lesestoff zum Wochenende | PHP hates me - Der PHP Blog
Great analysis for the peoples who want to explore about web service , i am just searching the best to use for my own website i would like to use OAuth as rayan said its in PHP, i dont think so i can create issues in future.