[geeklog-devel] "OAuth 2.0 is a bad protocol"

[Tom]

Interesting read. Here is what someone from the Drupal community asked about
adding OAuth 2 support:

------------------------------------
OAuth 1.0 is being used successfully by thousands of websites using the
OAuth Drupal module (http://drupal.org/project/oauth). I currently maintain
that module. Should we discard adding OAuth 2 support? Are there any other
alternatives? It would be great if you could chime in at
http://drupal.org/node/1591692.

Many thanks for your had work on this protocol.
 ------------------------------------

And here is the reply by Eran:

------------------------------------

Not sure what OAuth 2.0 support would look like. The hard part would be
deciding what to implement and how. I would put it on hold until you find
use cases that justify the effort.
------------------------------------




-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Dirk Haun
Sent: July-27-12 4:29 PM
To: Geeklog Development
Subject: [geeklog-devel] "OAuth 2.0 is a bad protocol"

Interesting. Just the other day, I was thinking about OAuth 2.0 again and
how we never got around to actually use the code we got for it (via GSoC).
And today, I found this article:

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Choice quotes:

> Last month I reached the painful conclusion that I can no longer be
associated with the OAuth 2.0 standard. I resigned my role as lead author
and editor, withdraw my name from the specification, and left the working
group.
(.)
> At the end, I reached the conclusion that OAuth 2.0 is a bad protocol.
WS-* bad. It is bad enough that I no longer want to be associated with it.
(.)
> When compared with OAuth 1.0, the 2.0 specification is more complex, less
interoperable, less useful, more incomplete, and most importantly, less
secure.
(.)
> If you are currently using 1.0 successfully, ignore 2.0. It offers no real
value over 1.0

Not sure which practical consequences to draw from this (how much of a
real-world problem is not supporting OAuth 2.0, now that we allow
authentication via Twitter and Facebook?). But at least I don't feel so bad
about not using the code any more .

bye, Dirk


-- 
http://www.themobilepresenter.com/

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 7322 (20120723) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com