Security enhancements for third party authentication

Posted by Seth Hitchings on 24 Apr 2012

Posted by Seth Hitchings on 24 Apr 2012

The security and privacy of our users’ data is our top priority. This is reflected in our three laws of data protection, and it’s reflected in the way that we design our service and the products that access it. As a result, our users trust us, which is one of the reasons that we’ve been so successful.

Since we launched the Evernote API in October of 2008, we’ve allowed third party applications to authenticate to Evernote the same way that our applications do – by collecting a user’s Evernote username and password and sending them to our web service. Username and password authentication is easy for developers to implement, but it’s not great from a security perspective. Today, we’re making some big changes to improve the security of apps built on our API, starting with a transition from username and password authentication to OAuth.

We are now requiring all new applications to authenticate to the Evernote service using OAuth, a standard authorization protocol used by Google, Twitter, Dropbox and most other major web service providers. We will no longer activate applications on the production Evernote service if they use username and password for authentication. The Evernote service has long supported OAuth, and now we’re making it mandatory.

Developers have until November 1, 2012 to modify existing applications that authenticate using username and password. At that time, we will cut off third party access to the UserStore.authenticate function. We will email developers who hold “client” API keys (those that authenticate via username and password) this week to let them know about this change, and again in September if they have not converted their application to OAuth.

Most developers are familiar with OAuth from working with other APIs, but we recognize that properly implementing an OAuth client is more work than simply prompting for the user’s Evernote username and password. To make the transition easier, we’ve taken two steps.

First, developers who are simply experimenting with the API or scripting access to their own personal account can obtain a developer token. These tokens allow a developer to access their account through the API without any additional authentication. Developer tokens make it easy to get started learning the Evernote API or automating actions for your own account. To learn more about developer tokens, visit dev.evernote.com.

Second, we’ve added OAuth functionality to our iOS and Android SDKs, which we’ve published on GitHub. The new SDK functionality implements the entire OAuth flow and can be plugged into an application by simply copying and pasting a few blocks of code. The SDKs also include sample applications that demonstrate how to use the OAuth functionality. Our SDKs for PHPPython and Ruby contain sample code showing how to use popular OAuth libraries to authenticate to Evernote. We’ll be releasing SDKs and sample code for other platforms and languages over the next few weeks.

Full documentation of Evernote’s OAuth provider is available on dev.evernote.com. As usual, our developer relations team is available to answer any questions. If you have trouble implementing OAuth, please let us know. We’re here to help.

View more stories in 'API'

2 Comments RSS

  • José González D'Amico (@Jose_GD)

    Very well done Evernote, developer tokens for easy experimenting is the way to go, all API publishers should take the same route. Congrats!

  • Vladimir Campos

    I’m not a developer, but I was anxiously waiting for this because I could never trust my credentials to any App that integrates to Evernote. Now I’ll be happy to connect a lot of Apps as soon as they implement OAuth.