I wish I could attend IIW but I had previous work related obligations that I simply could not get out of. I do hope to attend the next one (IIW 2008a).

Now it’s time to update the C# client to the latest and really final version of the spec.

Congrats to everyone involved with OAuth. It is a truly amazing group of people and I think we can all be proud of the outcome!

At first I wanted to release a more complete integration of OAuth within ASP.NET, but that will have to wait to the next time frame I can allocate to work on this.

In the meantime, there is some basic C# code in the OAuth code repository which generates the OAuth signature, which is the most complicated thing to implement in the spec (not that it’s that difficult to implement :-) It’s actually quite easy).

To use the C# code, simply do this (based on the samples in the spec):

using OAuth;

OAuthBase oauth = new OAuthBase();

Uri url = new Uri(“http://photos.example.net/photos?file=vacation.jpg&size=original”);

string signature = oauth.GenerateSignature(url, “dpf43f3p2l4k3l03″, “kd94hf93k423kf44″, “nnch734d00sl2jdk”, “pfkkdhi9sl3r4s00″, “GET”, oauth.GenerateTimeStamp(), oauth.GenerateNonce(), OAuthBase.SignatureTypes.HMACSHA1);

After that you can concatenate the relevant query parameters as well as the signature value to the URL and use it.

If you have a different timestamp and/or nonce generation method, you can inherit and override these methods.

If you require a different hashing algorithm other than the default HMAC-SHA1 or the PLAINTEXT (which MUST be used with a secure communication channel such as HTTPS) you can use the “GenerateSignatureBase” method to generate the signature base string and then call “GenerateSignatureUsingHash” passing the signature base and the hash algorithm you are using.

That’s about it. I’ll update when I’ll have some more integrative code.

I will add though that my C# library which I’m promising for quite some time will get out very soon :-) (Sorry for the delay, it’s been hectic around here).

I will say that OAuth should make the Internet a little bit safer by giving the technical means to remove the need of a certain service asking the user to give his/her username and password to access another service that that user is also using.

OAuth is to credentials delegation what OpenID is to authentication. An open standard for delegating a user’s credentials between services, the same way OpenID is an open standard for authentication.

It is important to note, however, that OAuth is not limited to be used with OpenID only. It CAN be used with ANY authentication scheme both open and proprietary.

After all, some of the main mantras of OAuth were that we don’t want to reinvent the wheel(s) and we want OAuth to play nicely with everyone.

I’m contributing to the working group of OAuth and we just released the first public draft for OAuth 1.0. Take a look, read the spec and share your thoughts and comments with us!

OAuth – another brick in the open standards wall of authentication, credentials delegations and ultimately identity.