Flickr, Twitter, OAuth: A Secret History

July 1st, 2009

I remember it as a dark and stormy night, that seems unlikely, but I’m sure it was late and chilly and damp.

I remember being tired from a long day in the salt mines; that was during a period when I was always tired after work.

I remember there being whiskey, and knowing @maureen, that seems likely.

I’d just won some internal battles regarding delegated auth, and implemented Google AuthSub for the new Blogger Beta, as well as Amazon auth for a side project. So when I wanted to share photos from Flickr to Twitter, I knew it wasn’t going to be over HTTP Basic Auth.

A few weeks earlier @blaine and @factoryjoe had pulled me a into a project called OpenAuth that they’d been talking about for a couple of months — an alternative to yet another auth standard, and a solution for authenticating sites using OpenID.

So one late, damp night along Laguna St. with whiskey, we did a pattern extraction, identifying the minimal possible set of features to offer compatibility against existing best practice API authorization protocols. And wrote down the half pager that became the very first draft of the OAuth spec.

That spec wasn’t the final draft. That came later, after an open community standardization process allowing experts from the security, web, and usability community to weigh in and iterate on the design. But many of those decisions (and some of the mistakes) from that night made it into the final version.

Yesterday, a little over two years later, we finally shipped Flickr2Twitter.

So it was nice yesterday when people commented on the integration:

“Uses OAuth!” “Doesn’t ask for your Twitter password” “Great use of OAuth”.

And I thought to myself, “It better be, this is what OAuth was invented for — literally”.

4 Responses to “Flickr, Twitter, OAuth: A Secret History”

  1. David King says:

    I’m just writing my own OAuth provider and am following a trail that seems most active about half-a-year ago, very interesting to read about the storm that predates the calm we’re in!

  2. bucabay says:

    Thats a long time, 2 years. So you guys really invented Oauth for Flickr2Twitter? Interesting.

  3. philgo says:

    So why exactly did it took so long ? Y! Paranoids ?

  4. [...] This is clearly a pain point for Elliot-McCrea as he was instrumental in creating the OAuth standard that Twitter and many other service now use to allow for third-party link-ups. So Flickr and Twitter linking up via OAuth should have happened right away, right? Nope. According to Elliot-McCrea, it took about two years — something which he detailed here. [...]