OAuth 2.0 and the Road to Hell

It saddens me to see OAuth 2.0 in this state. As someone who’s made really minor contributions to 2.0 (and thus listed as a contributor in the spec), I have been really looking forward to it being finished and ready for production use (where production use means no more drafts). I stopped following the mailing list last year because most of the threads seemed all too familiar or out of my realm of knowledge to contribute (read: enterprisey).<p>I run a 1.0a service provider and write clients against it. I’m thinking about wading through the current 2.0 draft, picking out the relevant parts to small startups with an API, and publishing a post about how to implement the sane parts of the 2.0 spec.

Having written client code for multiple OAuth2 implementations, I can tell you: it's a total clusterf$%k, and for exactly the reasons Eran outlines: the oauth spec is a giant ball of design-by-committee compromise and feels <i>exactly</i> like the disaster that is XML web services and it's technologies.<p>We would be better far off it a single company/dictator (like, shudder, facebook) came up with a simple, competently designed one page authentication mechanism, provided some libraries in the popular languages and we all just went with that.

I've worked on standards committees off and on for many years, and his experience seems typical of the issues that crop up. There are many problems with standards groups and the way that they work.<p>One major one is that, often, the participants come from different areas with different perspectives and visions of the outcome. Since participants rarely go to work with a firm set of agreed upon requirements or use cases, it leaves each member room to craft their own understandings of the goals. I've seen way too many working groups attempt to create a 'master' spec that takes into account all possibilities. Or, alternatively, clusters of people form from similar problem domains, and powerful clusters can take the work off course.<p>A second major problem is that there often is a lack of real user participants. Standards work is as close to the dullest engineering work one can get. Worse, it seems to attract certain types of engineers that love building specifications. Because of this, usually the real users flee immediately. This usually leaves a body of over-educated, overly-technical people to argue a lot over sometimes irrelevant details. Those types of people are definitely necessary for the standard to work in the end. But, because the real users flee, their influence is usually unchecked.<p>A third reason is that working groups rarely seem to use iterative and incremental life cycles. There's rarely any working code, often little V&#38;V, and participants and users often can't experiment with their ideas. As we know, what's good in theory, sometimes doesn't work well in practice.<p>I think there are systematic reasons much standards work fails. The 'design-by-committee' outcomes arise from 1) lack of firm use cases to bound the work, 2) dissimilarity between participants, 3) lack of real user participants, 4) lack of iterative / incremental cycles.

<a href="https://en.wikipedia.org/wiki/Second-system_effect" rel="nofollow">https://en.wikipedia.org/wiki/Second-system_effect</a> strikes again?

Hang on a minute, from where I'm standing as a client developer OAuth 2 is much better than OAuth 1.<p>Firstly, reducing the burden of tricky and unnecessary crypto code on the client is useful.<p>Secondly, some of the article's points don't even make sense, like saying tokens are necessarily unbounded, which isn't true. The issuer can easily include the client_id in the token and check for its revocation when used, as it did in OAuth 1. The same is true for self-encoding: clients don't have to issue self-encoded tokens and can instead issue unique id-style tokens with long expiry times. As for refresh, that's unfortunate but issuers could easily work around it if the OAuth 1 way was preferable.<p>In short, OAuth 2 is simpler to implement for the client in exchange for being slightly harder on the issuer, whilst also being more flexible. Yes, it relies on SSL for security. So does your bank.

I don't understand any of this. Microsoft develops and publishes 'protocols' (used lightly) and everyone hates them because they are pushing workable code out on everyone else...<p>Bunch of people in a committee take three years trying to build the security token system to end all security token systems and have yet anything to show for it and we are sad?<p>Why are people trying to do this anyway? oAuth is just an idea. Hey here's a really good way to handle things and if you do it this way it has some really great benefits.<p>Why aren't these things like javascript frameworks where everyone has an idea. I don't think it's practical that every sdk and framework will use one security system that was agreed upon. It's just not going to happen. Everyone has unique requirements.<p>I think he's just upset that more people have concerns and needs and nobody can compromise to solve all of them. Well yeah. Naturally. They wouldn't be needs if people could just overlook them for someone else's idea on how to do it. They would just be problems people are looking for someone else to solve.

We at Zapier have seen it all when it comes to API's. IMO, the biggest poison around OAuth are options. Optional grant types, various refresh token options, miscellaneous state and scope options, etc...<p>What is the point of a standard that cannot be implemented the same way twice? It's insane.<p>That said, most smaller vendors stick to the sane bits, its the big guys like Intuit or Microsoft that over-engineer their auth and pull out every fiddly feature in the spec.

&#62; With very little effort, pretty much anything can be called OAuth 2.0 compliant.<p>This was both a sigh of relief but also slightly horrifying when I was working on an oauth2 server in Node. It encourages a lazy "implement the parts we care about and that are required, and take shortcuts for unspecified things." I thought the separation of access tokens and refresh tokens was wrong because once you're just giving the client an encrypted string to avoid certain DB lookups later you can put whatever data you want in it (the spec doesn't care) including managing refreshes, revokes, etc. I like the idea of expiring tokens of course, but it would simplify the client significantly to just replace the currently used token with a new token issued by the server if one is returned. I recall the 'standard' flow is "request with access token, fail, request new access token with refresh token if you have one, maybe succeed, maybe get a new refresh token, if succeed request with new access token". Having the access token manage the data to refresh itself is simpler. I'd agree it's bad that token security is reduced to cookie security by default, really the whole rant is spot-on.

Might OAuth WRAP make a comeback? Bret Taylor wrote about it years ago as a simpler approach:<p><a href="http://webcache.googleusercontent.com/search?q=cache:lDQVFkyw-LcJ:backchannel.org/blog/oauth-wrap-friendfeed" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:lDQVFky...</a><p>(his blog seems to be defunct, hope that's not permanent)<p>Seems like OAuth WRAP has been officially deprecated in favor of OAuth2.0 but given these issues...

Yes, this is sad. And it happens all the time.<p>Exactly the same thing happened to the whole Semantic Web effort at W3C. It basically got overtaken by enterprise and now it is of little interest or use to regular web developers.

somewhat, shocking. i guess i'll be moving away from Oauth, feels like a relief and scary at the same time. what are some good alternatives?

&#62; The enterprise community was looking for a framework they can use with minimal changes to their existing systems, and for some, <i>a new source of revenues through customization</i>.<p>That right there is what killed OAuth 2.0. From day 1 these members didn't have the specification as the highest priority. They were only thinking of how the specification could serve their own ends. This isn't unique to the enterprise world, but that mindset has more than its fair share. The web community represented the group that put the specification as it's highest priority. When the specification was perverted, they left.

Interestingly I am developing a single-signon provider as we speak, and I chose OAuth 1.0. I did it mainly because the libraries (jersey-oauth in my case) seemed more mature for 1.0, and the fact that 1.0 is a standard, whilst 2.0 is a draft at the moment.<p>I do realize that it's slightly more complicated for the client developer, but all things considered I think documenting my API in the best possible way will outweigh the perceived disadvantages.

Something similar is happening to HTML5 in the W3C: <a href="http://blog.whatwg.org/html-and-html5" rel="nofollow">http://blog.whatwg.org/html-and-html5</a>

I witnessed one guy implement an OAuth 2.0 provider completely wrong (he was accepting user credentials as client credentials, or something similar.) This guy was smart, and just couldn't understand the spec.<p>Upon reading the spec, it seemed that OAuth2 is really just some rough guidelines. Pick and choose what you need for the particular flow you're implementing.

I'd love to see OAuth 2.0 forked into a version that takes into account Eran's comments. It's be nice if the forked version explicitly mention that it will not make any compromises to support the enterprise and that the burden is on the enterprise to support the ways the internet works.<p>If the enterprise world wants a standard, let them make their own.

Design by committee fails again.<p>Maybe next time it'll work!

Heh, why not form another committee with just the web guys and without the enterprise guys and create your own OAuth 2.0? You'll get something done before the enterprise guys and they'll be inclined to use your working protocol.

What does WS-* mean?

just been reading about the debacle with xml and w3c snd this whole oAuth business sounds like it's heading down the same path. Seems like the browser vendors had the ultimate say when it came to html. in terms of oAuth i wonder where the ultimate power lies because those would be the factions that need to do something right now to deal with this mess.

What was the supposed purpose for oath 2.0?

Again it's very hard to read the small grey text on white background.

pluginitis strikes again