We appear to still be litigating OAuth, oops

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 24, 2021, at 17:26, Jim Manico wrote:
I think it’s important to point out that OAuth is not an authentication protocol. It’s for delegation. OAuth is one of the most mis-used protocols on the modern web. If you really want to support end users, a good place to start is to make it clear to developers what OAuth is really for so secure solutions are built as opposed to the dumpster fire that OAuth solutions have become today.

https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does

Which suggests that if the OAuth solutions deployed today are dumpster fires, then ... well, that's what OAuth 2 does.

My biggest problem with OAuth as an outsider is that it doesn't solve the NxM problem.  You can't build a client which can OAuth against any arbitrary OAuth service that provides a standard protocol, because you need to get an API key for your particular application from each service provider.  This just doesn't scale, which is a large part of Phillip's complaint as well.

Of course, I came into the IETF having already read https://web.archive.org/web/20120731155632/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ - which was one of the things which made me wary of the IETF in the first place, and keen to not let everything I touched get over-complicated.

Bron.

--
  Bron Gondwana, CEO, Fastmail Pty Ltd
  brong@xxxxxxxxxxxxxxxx



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux