August 6th, 2012

To OAuth or Not to OAuth? That is the Question – The Long Road to Standardization for OAuth 2.0

Written by
 

Tech Talk with Francois LascellesTo OAuth or not to OAuth? That seems to be the question many in the API business must ask themselves now that OAuth has moved closer to becoming a standard for authentication. OAuth 2.0 reached a major milestone this week on the road to becoming a standard, when the Internet Engineering Task Force (IETF) approved a draft of OAuth version 2.0. Layer 7′s Chief Architect Francois Lascelles says: “This milestone solidifies the OAuth 2.0 claim of being a standard.”

But OAuth’s journey towards becoming a standard hasn’t been completely smooth. Last week, the original editor of the OAuth 2.0 specification and author of OAuth 1.0, Eran Hammer, resigned and removed his name from the specifications. Layer 7′s own CTO, Scott Morrison, offered his support for the specification in a blog post titled Why I Still Like OAuth, in which he stated: “In the end, OAuth is something we all need and this is why this specification remains important. The genius of OAuth is that it empowers people to perform delegated authorization on their own, without the involvement of a cabal of security admins. And this is something that is really quite profound.”

Still, obvious questions remain: Is OAuth 2.0 a solid protocol for authentication? Should I stop building security architecture around such a tainted specification? What other means are there for authentication if OAuth has become too focused on the enterprise? Francois Lascelles will address these questions as well as discussing and commenting on the recent OAuth 2.0 draft approval during our next live Tech Talk, on August 7. Make sure you add this Tech Talk to your calendar, if you want to get the event details and a reminder on the day.

On the day of the event, join on Livestream or Facebook:

And if you’d like to submit some questions:

August 3rd, 2012

Standards, APIs & WAC

Wholesale Applications Community LogoGigaOM recently ran a piece opining the demise of the Wholesale Applications Community (WAC) after only a couple of years on the scene. The article complained that something like the WAC effort is needed and suggested that, given the nature of the industry and the players involved, it’s not likely to happen. However, what the author failed to notice was that the WAC’s attempted solution was way off the mark.

The WAC’s key failure was that it attempted to standardize the wrong thing: the API. This is a common problem that occurs repeatedly. GigaOm readers may recall another example of industry-level standards going astray, summarized in the “Cloudstack-Openstack Dustup” piece from April. I suspect several readers can call to mind similar cases in the not-too-distant past. Such cases usually share a common theme: disagreement on the details of the API.

The solution is right at hand but few see it. The right way to go is to standardize the way messages are designed and shared, not the data points and actions themselves. In other words, the key to successful shared standardization is through media-types and protocols. This is especially true for any communication over HTTP but it holds true for standards operating over any application-level protocol.

We don’t need to look too far to see an example of an industry-led standardization success. VoiceXML was started by AT&T, IBM, Lucent and Motorola as a way to standardize interactive voice system communications. Not long after the first markup was defined in 1999 (a process which took a matter of a few months), the standard was turned over to the W3C for continued growth and refinement.

The goals of VoiceXML were strikingly similar to those of the WAC and Cloudstack/Openstack efforts: defining an interoperable standard that could be used across an industry group. The difference in the case of VoiceXML was that the committee focused on message design and domain-specific details shared by all players. It did not attempt to document all the data elements, function calls and workflows to be used in lockstep by all.

Most likely, the WAC meltdown won’t be the last one we’ll see. But this is not the inevitable result of competing interests in the global marketplace. This is a result of well-meaning people aiming at the wrong target. We can do better. We can learn from successful interface designs and focus on making it possible to consistently communicate a wide range of information freely instead of attempting to constrain systems to a single set of possible interactions.

The future of an effective Web, a growing and vibrant distributed network, rests in the hands of those who would take on the task of writing the vital standards that will make it work. I look forward to seeing more efforts where the focus is on improving communication between parties through well-designed message formats instead of on limiting communication though constrained APIs.

August 1st, 2012

Mobile Security & Management for the Enterprise: SecureSpan Mobile Access Gateway

Layer 7 SecureSpan Mobile Access GatewayThese days, enterprises face an increasing array of Mobile Access challenges, from BYOD to mobile device management. We live in an increasingly mobile and app-based world. More and more enterprises have mobile-enabled workforces that need access to enterprise data from personal smartphones and tablets.

But how do enterprises balance access control with the individual’s right to choose the apps they want? How do enterprises grant access to sensitive on-premise data via mobile devices without compromising security?

Enterprises need secure ways to surface internal information assets in mobile ready formats that can be easily consumed by both mobile developers and the apps they create. They need simplified ways to manage how enterprise applications and systems get exposed to mobile developers and apps.

Layer 7′s new SecureSpan Mobile Access Gateway does just that by streamlining the process of adapting internal data, application and security infrastructure for mobile use. Delivered as a policy pack extension to our SecureSpan API Proxy/SOA Gateway, the Mobile Access Gateway provides a centralized way to control security and management policies for information assets exposed via APIs to mobile developers and apps.

Contest: Win a $250 Amazon Gift Card
To celebrate the general availability of the SecureSpan Mobile Access Gateway, we’re having a Twitter contest and giving away a $250 Amazon gift card.

Here’s how to enter:

1. Retweet the following:

Win a $250 Amazon gift card from @layer7  http://ow.ly/cFj9i #L7MAG RT to enter!

Win a $250 Amazon gift card from @layer7 http://ow.ly/cFj9i #L7MAG RT to enter!

Tweet This for a Chance to Win

2. Don’t have twitter and still want to enter? Just leave a comment on this post, telling us your favorite mobile app.

The contest ends Aug 8 at noon. The winner will be drawn at random. If you win, we’ll send you a direct message on Twitter to let you know.