[geeklog-devel] "OAuth 2.0 is a bad protocol"

Dirk Haun dirk at haun-online.de
Fri Jul 27 16:28:49 EDT 2012

Interesting. Just the other day, I was thinking about OAuth 2.0 again and how we never got around to actually use the code we got for it (via GSoC). And today, I found this article:


Choice quotes:

> Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group.
> At the end, I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it.
> When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.
> If you are currently using 1.0 successfully, ignore 2.0. It offers no real value over 1.0

Not sure which practical consequences to draw from this (how much of a real-world problem is not supporting OAuth 2.0, now that we allow authentication via Twitter and Facebook?). But at least I don't feel so bad about not using the code any more …

bye, Dirk


More information about the geeklog-devel mailing list