Well, there's FINALLY a solution to put those concerns to bed so you can sleep well at night - OAuth.
OAuth: Valet Key
What is OAuth you ask?An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.Say what? Here's an analogy I'm sure most can understand and appreciate.
Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.So, basically, OAuth allows services like CloudSponge.com to access just contacts and only contacts. No personal info, emails, photos, etc.
Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.
This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).
How OAuth works
To understand OAuth a bit further, let's take a look at how it works. Let's say you want to import a user's contacts for your email invite.- User = your customer
- Consumer = your application through CloudSponge.com
- Service Provider = Yahoo, Gmail
Here are the typical steps taken in the OAuth process:
- Consumer requests to import User's contacts.
- User is directed to the Service Provider to a consent page.
- User grants consent to Service Provider to allow Consumer to access their contacts.
- Consumer receives an access token from Service Provider to retrieve User's contacts.
- Consumer retrieves contacts from User.
Who's supporting OAuth
Since OAuth is an open source protocol, there are many providers already jumping on the bandwagon to support OAuth including Digg, Jaiku, Flickr, Ma.gnolia, Pownce, Twitter, MySpace. Particular to address books, Yahoo, Gmail, and Plaxo all support OAuth for accessing their contact data. Though Microsoft is not listed here, Windows Live uses a similar access token protocol to ensure applications are allowed access to only the specific data consented to by users.At CloudSponge.com, we take privacy and security of your user's contacts seriously. We are already taking steps to support OAuth in the contact sources we support. We should have this feature available to you in the coming weeks. Stay tuned for when this new feature is available.
If you would like to learn more about OAuth or CloudSponge.com, feel free to contact us.