OAuth and API Providers: Come on guys.

Ever actually tried implementing an Oauth provider? It's surprisingly difficult to get 100% right.<p>I had a similar problem, so I started my own open OAuth provider implementation complete with built in documentation <a href="https://github.com/schneems/opro" rel="nofollow">https://github.com/schneems/opro</a>. If you're using Rails, you can have a working OAuth provider in production in under 5 minutes. Of course adding the API endpoints and writing application specific docs is still up to the user, but the authentication flow and logic are at least standardized.

Oauth, even oauth2, seems like a classic open, design-by-loose-committee failure. Too many options and open ended decisions.<p>My hope is that now that the basecamp2 API supports it, their implementation will become the reference standard.

I'd add, that if you are implementing OAuth 1, you are making life painful for developers. If you are creating an API now, please use OAuth 2. It's much more straightforward for both server and client.

I don't understand what the author means by this paragraph:<p>"Now when a user signs up websites try to make it as easiest as possible to increase user sign up and adoption. Then you provide an API that exposes this information and has data gaps because you wanted to avoid having the user type in one more field during sign up. The API should drive those requirements not the other way around."<p>Is the author saying that sites should focus on making life easy for API consumers at the expense of their users? If so, I couldn't disagree more.

<i>"It is absolutely essential for each user to have UID that doesn't change and is consistent for the life of the account."</i><p>I agree and that's actually been a problem with Twitter. They <i>do</i> have a unique ID for each user. The problem resides in the fact that users can change their Twitter handles. So you can track a user with their UID, but you also have to check that their handle doesn't change over time and figure out if their user page on your site is at website.com/223453245/ (not the prettiest and people can't link the Twitter handle to the user page on your site), or website.com/handle/ (which is more desirable but creates problems when the handle changes).

Making Oauth Providers seriously sucks. I kno people will out me for not being rigorous enough or not low-level enough, but I would really love if we could all band together and provide some reference, open source provider to build on top on.<p>In the Rails world, Doorkeeper is a great example: <a href="https://github.com/applicake/doorkeeper/" rel="nofollow">https://github.com/applicake/doorkeeper/</a>. However, I wish Doorkeeper were ORM agnostic as i can not use ActiveRecord nor Mongo. I would appreciate any hidden gems that others might have

Also: get an SSL certificate.

This article is very vague and confusing. I'm sure there are real problems here, but the grammar makes this hard to read. What are you complaining about, specifically, in the "Logos" section? What would you like a company like Twitter to be providing in terms of graphics?

We're working on a generic, spec-compliant, thorough implementation of the OAuth spec(s) for python. Quite a bit is working, and it has a very reasonable API. Help wanted!<p><a href="https://github.com/idan/oauthlib" rel="nofollow">https://github.com/idan/oauthlib</a>

My advice, somewhat harsh, but I believe true. If you build an OAuth endpoint, build an OAuth 1.0A endpoint. It's stable, powerful, and effective. There is no effective OAuth 2 "standard" yet.

Hey there. If you have any good thoughts on improving oauth2 you should ping me:) I am posting a new spec in a week and since you know a lot of providers now we could work together.

We at filepicker.io (<a href="https://www.filepicker.io" rel="nofollow">https://www.filepicker.io</a>) are trying to solve this pain point for developers working with user content

I think Tim Bray just got into working on OAuth so that's exciting :)