We spoke with Apigee’s Sam Ramji recently. He and the company, which focuses on API products for enterprises and developers, find themselves among those at the center of one of the rising trends in security services: OAuth.
In the past Ramji led open-source strategy across Microsoft, and was a founding member of BEA’s AquaLogic product team. He now acts as strategist for Apigee, where, along with others, he writes for the Apigee API Best Practices blog. He likens the token-based OAuth protocol to a valet key that allows users to go from Web site to Web site (from Twitter to TweetDeck, from Facebook to Twitter, from the New York Times to Facebook, and so on) without multiple logins.
”OAuth allows an application to act as an intermediary to services like Twitter – etcetera – on behalf of the end user,” he said. This type of token service for site hopping is a key mark of the Web 2.0 and the so-called ”App Economy” today. “We couldn’t have done this years ago,” said Ramji.
OAuth is said to play nicely with widely used Web-based REST methods. Moreover, Ramji suggested that OAuth makes a ”good enough” security service available to a broader group of developers. The mobile device explosion seems likely to expand OAuth use.
Previous alternatives involve a more complex set of processes for developers to learn. Of course, OAuth has its limits. OAuth aims directly at site-to-site application-to-application hopping over HTTP. It would be used in some enterprises along with SAML, OpenID and other more complex security services located as gateways nearer to vital backend systems.
OAuth can be seen as an indicator of a sea change in services, said Ramji. ”It is as a token-based security system that allows users’ account information to be used by a third-party application in a way that does not expose the user name and password to that application.”
What can go wrong? ”The process of wiring up OAuth is pretty complicated for the average developer,” said Ramji. ”Also, it is still a spec in motion. No two apps really quite line up easily.”
Apigee’s work is emblematic of the work of API-intensive companies that may change the economics of the software industry. –Jack Vaughan