In developing OAuth, we sought to invent as little as possible, following the Microformats approach to pave existing cowpaths and relying on conventions already established in protocols like Google’s AuthSub, AOL’s OpenAuth, Yahoo’s BBAuth and FlickrAuth and Facebook’s FacebookAuth.
While we wanted the best protocol we could design, we also wanted one that people would use and that would be compatible with existing authentication methods, inherit from existing RFCs and reuse web standards wherever possible. In this way, we ended up leaving a lot out of the spec that seemed interesting but ultimately didn’t belong.
The protocol is flexible in that it is adjustable to the actual security needs of different sites, and extensible through different signing algorithms and security features. It is also designed to work on mobile devices and explicitly supports desktop applications.
Finally, we worked hard to keep our focus on real-world scenarios and to be conscious of straying towards the impractical or utterly theoretical. Our discipline resulted in a taut protocol that can be easily read and implemented without a great deal of effort. To support this end, we hope to offer a number of libraries that will greatly reduce the amount of work necessary to Do the Right Thing ™ or to migrate from existing API protocols.