Skip to content

WebFinger, OAuth and Freebusy lookups

One of the more frustrating aspects of calendaring systems is that the freebusy lookups are all proprietary.  Meeting invitations can be sent from one system to another (assuming you know a time to meet).  However, it is not possible to lookup when someone from Lotuslive, someone from gmail and someone from Yahoo are all available to meet.  In the corporate space this type of scheduling is invaluable.

The format for looking up someone’s freebusy time is included in a standard that was completed in 1998, but they punted on all the hard stuff.  The hard bit, as I have mentioned before, is working out where someone’s freebusy is stored on the web and then authenticating with that store in a manner that can be verified. WebFinger and OAuth are now putting the complete round trip within spitting distance.

Below I’ll propose an approach to scheduling a meeting with my mom (who uses gmail) from LotusLive (which I use). I will be (but using LotusLive for my calendaring service) and my mom is  We’ll also assume that my mom has told google that it can share her calendar free time data with any one in her contact list and that I am in her contact list.

  1. I head into my calendar service (on lotuslive), click on Add Event and type into the invitees list.
  2. LotusLive now uses WebFinger to lookup the different api services that google provides for access to my mom’s data along with the corresponding URL for the service.  The details on how this works are outlined here on Eran’s blog. At the end of this, LotusLive gets back a XRD document that looks something like the following.

    <?xml version='1.0' encoding='UTF-8'?>
    <XRD xmlns=''>
        <Link rel=''
              href='' />
        <Link rel=''
              href='' />

    From this LotusLive can now determine that my mom’s freebusy endpoint is at  It concludes this by looking for the link with a rel attribute of

  3. If my mom had made her freetime calendar data public then LotusLive can simply retrieve the data from the URL, but to add to the complexity let’s assume that it requires authentication i.e. LotusLive needs to prove to Google that it has at the browser and then Google checks that is in my mom’s contact list. We’ll do something here very similar to what signed fetches do in opensocial i.e. lotuslive will use OAuth to assert that it has at the browser. What we’ll end up with is a url that looks something like

    LotusLive has here claimed that it has at the browser and using OAuth has signed the request with a private key.  It has also indicated where the public key is to validate the signature.

  4. Google receives the request, retrieves the public key and verifies the signature.  If it trusts signatures and keys from LotusLive (verifiable by retrieving certs from an https url with a domain) then it is done at this point. However that is a fairly large amount of trust to place on LotusLive as LotusLive could assert on behalf of any identity. Google really needs to check that LotusLive can assert’s identity.  Here we’ll use webfinger again.
  5. Google now does a WebFinger lookup on and gets an XRD document such as the one below

    <?xml version='1.0' encoding='UTF-8'?>
    <XRD xmlns=''>
        <Link rel='IDP' href='' />

    Google now sees that is a valid Identity Provider for and so accepts the assertion.

  6. Google checks that is in my mom’s list of contacts and as I am returns her freebusy.
  7. Finally, LotusLive gets a response from Google outlining my mom’s free time and displays it in a nice calendar.  I can choose a time that she is free and send her an invite.

I know this is not perfect and I know there are probably a fair amount of changes that are needed, but I wanted to jot down something that, I think, is fairly close to a workable solution.  Am very interested in other’s thoughts.

p.s. WebFinger on email addresses does provide a means of discovering valid email addresses, but no where near as much as this does.  The fight against spam can’t center on not making email addresses discoverable.

{ 13 } Comments

  1. Mark McG | March 16, 2010 at 7:40 am | Permalink

    It is a nice goal to have some generic approach like this that could work for any mail provider to any other mail provider. Some comments:

    Gmail is allowing any user in contacts list to see your freebusy time. Fine, I am sure there is some variation of this that could work for all email providers providing it was clear to the end user.

    Rob needs to call gmail and assert his identity. Is Oauth doing anything other than verifying the call came from LotusLive? I guess it is also used to grant the access token which can then be used to make the freebusy call
    Is there a better mechanism for asserting identity that can be used such as OpenId or SAML. Can the OpenId/OAuth hybrid protocol be used except here it is 2 legged Oauth with openId assertion used to determine what the scope of the Oauth token is

  2. Rob Yates | March 16, 2010 at 8:37 am | Permalink

    @Mark, yes there are many variations that could govern the business rule as to who is let in e.g. in an app like lotuslive it could be set at the org level.

    OAuth provides a means for LotusLive to assert to google its claim that it has at the browser. If there is trust between Google and LotusLive then no further checks are needed. If Google wants to check that LotusLive has the right to claim it has at the browser then it needs to check using WebFinger that LotusLive is authorized to make that claim.

    The problem that Openid and SAML have is that they have no bindings for HTTP calls. I think that this is going to be addressed as it looks like there is interest in building the next version of openid atop OAuth 2.0.

  3. Nathaniel Borenstein | March 16, 2010 at 11:03 am | Permalink

    I think this is freaking brilliant. There has been a huge hole in the calendaring protocols, and you’ve figured out how to fill it in, almost entirely, by putting two emerging protocols together. Seriously Brilliant.

    That said…… and you knew this was coming… I do have some concerns. Biggest among these is the immaturity of webfinger. You’re essentially talking about standardizing on the use of something that barely exists yet. We would have to put serious weight behind the webfinger effort to help it succeed, in part by participating in its evolution, but even more importantly by bringing the calendaring community in as supporters, and by helping shepherd webfinger through the IETF. (Even though most of the work will probably be done at calconnect, the documents will have to go through the IETF wringer.) Leadership in those venues would be a good thing for IBM to contribute.

    There are also some missing details about the format of the data that you receive about free/busy — are you basically thinking of this as a caldav proxy, with iCal coming back? Or something more XML-ish and probably not yet well-specified?

    Overall though… great idea!

  4. Mark McG | March 16, 2010 at 12:37 pm | Permalink

    SAML does support HTTP binding.

    I think Webfinger is an excellent idea for step 2, discovering the feebusy endpoint. I am not so sure about it’s use in asserting identity and perhaps that is just because I don’t know the types of attacks that could be launched at steps 4/5.

    Wouldn’t a strong identity assertion protocol at step 4 negate the need for step 5 (binding issues aside)?

  5. Rob Yates | March 16, 2010 at 12:53 pm | Permalink

    @Nathaniel I am not sure the process by which WebFinger is becoming a standard. I can’t even find a mailing list about it. I will ask Eran on his blog. Maybe it will come out of the IETF OAuth group.

    On the format for the data, that is all in that spec from 1998. We could maybe change it if we wanted, but what exists with VFREEBUSY probably works for most.

    @Mark SAML does not have a binding for arbitrary REST api calls. It has a binding to http GET redirect or POST, but those are essentially browser basesd http bindings and not for general api usage.

  6. Prashant K | March 16, 2010 at 3:21 pm | Permalink

    I conceptually like the proposal here. This is fantastic approach. In fact one could use this generic API calling mechanism to do things like get updates from linked-in/facebook, get location information and so on.

    It does make sense to use ‘OAuth-style’ calling for making these one-off calls to do free busy lookups without real token management etc. I am not familiar with webfinger. At this stage, I believe it would be good if we can optimize step 5 (webfinger lookup). If the user’s email is something like and the call is made by yahoo (call uses yahoo certificate), it won’t be necessary. Won’t it cover the most of the cases?

    Anyway.. I believe this is a great idea !

  7. Arnaud Quillaud | March 17, 2010 at 9:46 am | Permalink

    While it serves a slightly different purpose, you should have a look at

    As far as the FB query itself, see

  8. nsirota | September 15, 2010 at 6:14 pm | Permalink

    I encourage you to check out They have a nice solution for having a master calendar in the Cloud.

  9. bharat singh | January 4, 2012 at 3:02 am | Permalink

    Hi Do you have any sample project to access Google Oauth 1.0 API .
    if you have please send me .

    Thank you
    bharat singh

  10. Order Natural Latex | October 20, 2013 at 12:04 pm | Permalink

    Hey there I am so glad I found your webpage,
    I really found you by mistake, while I was looking on Google
    for something else, Nonetheless I am here now and would just
    like to say many thanks for a fantastic post
    and a all round thrilling blog (I also love the theme/design), I don’t have time to read it all at the
    minute but I have saved it and also added in your RSS feeds,
    so when I have time I will be back to read a lot more, Please do keep up the superb job.

  11. Adriene | October 3, 2014 at 1:32 am | Permalink

    What’s up everyone, it’s my first go to see at this
    website, and post is really fruitful in favor of me, keep up posting these content.

  12. School Prank Video | October 12, 2014 at 3:37 pm | Permalink

    Sincce the admin ߋf this web site іs working, no hesitation verү soߋn it will be renowned,
    duee tto itѕ quality contents.

  13. | November 25, 2014 at 10:04 pm | Permalink

    wholesale authentic nba basketball jerseys from china

Post a Comment

Your email is never published nor shared. Required fields are marked *