Implementing the New OAuth WRAP
by David Recordon - December 21, 2009 at 1:30pm

We've shipped a prototype implementation of the emerging OAuth WRAP specification on FriendFeed. If you're a developer working with RESTful APIs, you'll want to check this out!

OAuth is a technology that can be thought of as a user's "valet key" for the Web. Just as you don't share your Facebook password with applications built on Connect or Platform, OAuth provides the same sort of functionality but in a standard way that can also be used by developers anywhere. In the end, we're trying to make it simpler not just for developers building on our APIs, but for everyone building with OAuth.

While Facebook Connect and our APIs do not use OAuth today, we've been working over the past month to share what we've learned with the broader community and shape both the new OAuth WRAP specification and OAuth's IETF standardization effort. We plan to continue developing OAuth WRAP within the community and incorporate it directly into Facebook Connect next year.

Last month, we joined Google, Microsoft, and Yahoo! in announcing our commitment to technologies like OAuth being free to implement by anyone anywhere. Following this announcement we hosted a small summit to go over the current state of the OAuth WRAP specification and start to define a way to make use of OAuth WRAP directly from within JavaScript, like you do today with Facebook Connect. Check out Brian Eaton's notes from the summit.

Luke Shepard, an engineer on our platform engineering team, wrote a draft JavaScript profile for OAuth WRAP. Thanks to Bret Taylor and the FriendFeed team, FriendFeed now has an OAuth WRAP provider prototype.

FriendFeed offers OAuth WRAP these endpoints:

We've also hosted a demo of the Web App profile (get the source code from GitHub) and the client-only JavaScript profile (source code is also on GitHub).

Both of these examples allow you to do the same things -- get an access token and then fetch and render your FriendFeed news feed. The first does it on the server, the second entirely in JavaScript.

We're very interested in what you think about OAuth WRAP in its current form. Bret Taylor, our director of Platform, has gone into more of the technical details of OAuth WRAP and some of the tradeoffs being made between WRAP and traditional OAuth.

Happy Holiday Hacking!

David Recordon, senior open programs manager, is looking for engineers that love open standards (like OAuth, OpenID, Activity Streams) and making the entire Web a more open social place. (want a job?)