OAuth 2.0 Makes Its Way Onto the IBM i
March 18, 2015 Alex Woodie
Don’t look now, but OAuth, the open standard for authentication first described by Twitter for allowing people to share data without using a password, is making its way into the enterprise. It’s even becoming adopted in the IBM i ecosystem, where a number of vendors, including BVS Tools, are adopting it as a standard authentication system for IBM i communication utilities.
The folks at Twitter initially started developing OAuth nine years ago to provide a way to share files over the Web without passing user IDs and passwords. Instead of sharing credentials, the OAuth protocol allows users to approve one application interacting with another on their behalf, without involving any passwords.
This is handy in the Web 2.0 world of social media. If you’ve ever been on a website and been presented the opportunity to post something to social media–say your Twitter feed or your Facebook page–then OAuth is the magic glue that makes that happen.
BVS started adopting OAuth 2.0 with its IBM i utilities with the 2013 launch of the GreenTools for Google Apps (G4G), which connect IBM i data with Google Apps, notably Google’s Drive, Cloud Print, Contacts, and Calendar apps. Soon thereafter, BVS supported OAuth 2.0 with GreenTools for Microsoft Apps (G4MS), which similarly use Microsoft’s APIs to upload IBM i-resident data to Microsoft OneDrive.
Now BVS is adopting OAuth in MAILTOOL, its popular tool that allows users to send emails from the IBM i server using a command line or RPG program. Specifically, BVS is supporting OAuth 2.0 in MAILTOOL Plus, an add-on to MAILTOOL that allows users to bypass the IBM SMTP server and send IBM i-generated emails via Gmail and Microsoft‘s Office 365 accounts.
As BVS’ Brad Stone explains, the changes will enable MAILTOOL PLUS customers to stay straight on the narrow OAuth 2.0 path. “In a nutshell, it allows those wanting to send email from their IBM i using Gmail to take advantage of OAuth 2.0, which means they don’t need to store passwords on their system,” Stone says via email.
Stone would have preferred to concentrate his efforts on building out the G4G and G4MS product sets, but he said he believed the writing was on the wall regarding the eventual demise of older authentication methods for hosted email.
“It seems Google is slowly moving this way for all their application access,” Stone says. “They’ve already deprecated the old ClientLogin method for most Google Apps and moved to OAuth 2.0. I have a feeling the same will happen with Gmail.”
OAuth 2.0 certainly has momentum. It’s used exclusively by social media sites like Facebook, Instagram, and Foursquare, as well as big cloud email providers like Google and Microsoft. But there’s trouble brewing in the house of OAuth, and some sites, like Twitter, Salesforce.com, and LinkedIn, support both OAuth 1 and OAuth 2.
The OAuth 1.0 protocol was originally published in 2010 by the Internet Engineering Task Force. In 2012, the standards were re-written with OAuth 2.0, which is not backward compatible with OAuth 1.0. Eran Hammer, the lead author of the OAuth 2.0 project, quit because he believed the enterprise focus of OAuth 2.0 was leading it down the road of being too complex, too incomplete, and too insecure (you can read all about the hubbub on Wikipedia).
MAILTOOL Plus, by the way, never used OAuth 1.0. Instead, it supported only “plain” and “basic” authentication mechanisms, so OAuth 2.0 should be a big improvement in any event.