Eran Hammer who, until a few days ago, was the main editor of OAuth 2.0 has written this very damning blog post about the protocol
http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
I’ve been following the working group for about a year now and there has been an awful lot of bickering and mindless discussion.
As I’ve stated already, I’ve spent the last few weeks working on a brand new library that implements the current spec (draft 30) and I do feel myself agreeing with some of his points:
- Yes the specification mess, I’ve highlighted and sticky noted the printed document to death and the flow between different sections is really bad
- Some new features such as refresh tokens are overly complicated and don’t benefit the protocol, and it means clients now have to maintain access token state added to complexity
- Just reading the spec you can tell how much it has been influenced enterprise – many features are very open ended so that you bolt OAuth onto something else (or something else onto OAuth)
- Bearer tokens over SSL/TLS by themselves are bad and I think signatures need to come back
- Basically if I steal someone’s access token I can use that wily nilly, however with signatures the entire request is signed with the client’s secret key so unless the secret key is leaked you can’t just use access tokens by themselves
I disagree however that the protocol (in it’s current state) is complicated, they’ve done great work at making it a 3 (or 4) legged protocol to just 2 legs and everyone agrees that bit of the protocol has been done well.
In terms of his suggestion that alternatives to OAuth that are outside the reach of the IETF might crop up I’m quite interested in this and if something crops up I’ll stick my nose in, and if one doesn’t then I’d be interested in having a go in writing one myself as an output of Linkey.
In terms of the extension documents (which include the assertions (SAML) extension, i don’t know enough about SAML to make any sort of informed opinion about this, however I’ve also still yet to see any public implementation of it.
I can’t help but feel this is a kind of new culture war on the Web, the Enterprise Engineers vs the Web Craftsman? These standards are not being developed for the people who actually work on them, they are being designed by the “architects” who do it once “in theory” and don’t know what “being in the code” is all about?
I disagree with this to some extent because OAuth 1.0 and (to begin with) 2.0 were written by developers at Google, Yahoo, Facebook and Microsoft so the protocol did stay true to it’s roots.
It all started to diverge when they added n number of ways to make OAuth work in different situations and interop with other standards.
It is this comment by Erin that strikes home the most for me: “To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.” <– specifications need to be built with a sixteen year old developer as the main user, not a Enterprise developer as the main use case?! I met a ten year old developer the other day, and if they don't see the point of it then no one else will :/
I think that is referring more to developers trying to connect to a 3rd party OAuth provider than develop one themselves.
Classic example is a developer not having an up to date version of CURL so when they try and do backchannel requests the request fails because the SSL isn’t recognised so they disable SSL verification
Thanks for the correction Alex, I might be doing what psychologists called “transference” here 😉
I guess I’m hoping you’ll weigh in on if oAuth v1 is good enough to just stay with, Eran makes the point that Fb is not switching anytime soon.
OAuth 1.0 is an okay protocol it is just clunky and a bit too verbose – which OAuth 2.0 has successfully fixed.
We aren’t going to switch away from OAuth 2.0 anytime soon and my personal feeling is that moving back to 1.0 will just turn people off the protocol.
Twitter are the ones who are staying with 1.0 for the time being – Facebook are using draft 20something of 2.0
Ah, good to know Alex. Thanks for the information. Keep the excellent posts coming, it is great to have you actually using the thing and feeding back what that it is like 🙂
Will do – have got an epic piece of code on the way too
Coolio, ping me when it is up, I’ll actually sit down and go through the spec alongside your code 🙂
https://twitter.com/alexbilbie/status/228114000574046208