After nearly 18 months of work, the group authoring OAuth 2.0 today requested that the draft specification take the first of many steps toward finalization within the Internet Engineering Task Force (IETF).

Barry Leiba, listed as the document's shepherd within the IETF, sent an email to Stephen Farrell, who is the IETF's Area Advisor for the OAuth group, saying "the OAuth working group requests publication of draft-ietf-oauth-v2-22 as Proposed Standard."

OAuth 2.0 is an authentication mechanism, more a framework than a protocol, that lets many different client types securely access RESTful APIs. It is viewed as an important development for securing mobile computing, including single sign-on for native mobile applications.

The request for publication is but a single step toward ratification and simply signals the working group is seeking formal review. The next step would be for Farrell to review the draft to make sure it is ready to be advanced within the IETF approval process, which can lead to publication as a standard or "RFC."

"I don't anticipate any serious roadblocks at this point... just perhaps a few potholes and such.," Leiba said. "I think the working group participants have done a great job in the last several months...coming to consensus on a spec we can all get behind."

The IETF process is highly procedural, including reviews by the Internet Engineering Steering Group (IESG), which provides final technical reviews. It could take months for the draft to make its way through the process.

While one outcome might be the draft's death, it is widely believed OAuth 2.0 will eventually be approved. Companies such as Google, Facebook and Salesforce.com are already using it (disclosure: Ping included OAuth 2.0 support in its recent 6.5 version of PingFederate).

Leiba is optimistic although he anticipates a few more changes during IETF last calls and the IESG reviews. 

Leiba says if Farrell gives the draft the go-ahead, it would go to IETF last call for two weeks. After that, it would go to an IESG "telechat" likely in mid-October. If the working group has adequately addressed all questions leading up to the telechat, the draft could be approved there and sent into the RFC editing process, which could take 8-12 weeks.

"So we're looking at late December or early January as a likely time for the RFC publication," he said. During that process, however, the working group won't be sitting with its fingers crossed.

"Now we have to continue working on the accompanying documents: bearer tokens, HMAC, SAML assertions, and the detailed threat analysis and in-depth security considerations that give more guidance on the many security-related issues that go with a protocol like this," Leiba said.