[geeklog-devel] "OAuth 2.0 is a bad protocol"

[Dirk Haun]

Interesting. Just the other day, I was thinking about OAuth 2.0 again and how we never got around to actually use the code we got for it (via GSoC). And today, I found this article:

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Choice quotes:

> Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group.
(…)
> At the end, I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it.
(…)
> When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.
(…)
> If you are currently using 1.0 successfully, ignore 2.0. It offers no real value over 1.0

Not sure which practical consequences to draw from this (how much of a real-world problem is not supporting OAuth 2.0, now that we allow authentication via Twitter and Facebook?). But at least I don't feel so bad about not using the code any more …

bye, Dirk


-- 
http://www.themobilepresenter.com/