A few Sundays ago, I had the pleasure of attending my first DevHouse event. This one was SHDH20, located in Cupertino. The event was an impressive gathering of hackers and thinkers, all of whom seemed ready to share their ideas and code.

At 8:00 PM, there was an OAuth implementors meeting that saw lots interested individuals seated anywhere they could find space. It had a sort of “town meeting” feel to it and Chris Messina did a nice job of coordinating the conversation. I had been following the mailing list with interest and reading the spec, but this meeting clinched it — OAuth was the way to go for Actiontastic to Actionatr authorization and, in my humble opinion, the way to go for all kinds of apps — desktop and web — to interact in a responsible and friendly manner.

So…What is OAuth?

Others have summarized it better than I will here, but one nice description that has been offered is this: OAuth is a valet key for web apps.

Consider the use case that is common on social networks right now. “Would you like to import your contacts from Gmail so that SocialApp X can find them?” Sure! Just provide your password (the same one that allows anyone to send email in your name, or delete every message you have) to SocialApp X and everyone promises to play nice. SocialApp X, Inc. also promises to only deploy perfect code so no bug will ever effect your Gmail account either. Awesome. Maybe you can trust them, but you shouldn’t have to (as Adam Kalsey put it recently).

The better use case is that of OAuth. Let’s try the above again…“Would you like to import your contacts from Gmail so that SocialApp X can find them?” Sure! Click. This time Gmail asks you if you would like to grant read-only access to your contact list for SocialApp X. You agree, and SocialApp X never sees your password and can only access what you have permitted. You stay in control, and changing your Gmail password doesn’t mean running around to a dozen other sites and updating your profile.

OAuth and OpenID

One area where OAuth shines is for sites that use OpenID and interact with desktop apps. Actionatr is OpenID-only and the former question of “How does a desktop app like Actiontastic login to Actionatr using something that requires browser redirects?” is answered beautifully. No extra username and password required. No enable-then-copy-and-paste-an-API-key interactions are required either.

The Code

So today, I am releasing the first layer of Actiontastic in its open source form: the OAuthConsumer framework. The MIT-licensed Objective-C 2.0 code is in the OAuth svn repository along with implementations for other languages like Ruby, Perl (including Jifty!), Python, Java, PHP and C#. The intent is to drop the framework into an app that you are developing and use OAMutableURLRequest in place of the usual NSMutableURLRequest for web interactions. The framework takes care of the OAuth specifics regarding tokens, digest signatures, authorization headers, and even provides Keychain storage for credentials. This is layer one residing beneath the next open source slice, KloudKit.

If you’re the type to dive in and build a copy of the framework for yourself, please be aware that the OAuth spec is still in draft form and this framework should be considered pre-alpha. I will begin adding docs and caveats to the project site as an aid for early adopters.