On Wed, Feb 24, 2021, at 17:26, Jim Manico wrote:
I think it’s important to point out that OAuth is not an authentication protocol. It’s for delegation. OAuth is one of the most mis-used protocols on the modern web. If you really want to support end users, a good place to start is to make it clear to developers what OAuth is really for so secure solutions are built as opposed to the dumpster fire that OAuth solutions have become today.
Which suggests that if the OAuth solutions deployed today are dumpster fires, then ... well, that's what OAuth 2 does.
My biggest problem with OAuth as an outsider is that it doesn't solve the NxM problem. You can't build a client which can OAuth against any arbitrary OAuth service that provides a standard protocol, because you need to get an API key for your particular application from each service provider. This just doesn't scale, which is a large part of Phillip's complaint as well.
Of course, I came into the IETF having already read https://web.archive.org/web/20120731155632/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ - which was one of the things which made me wary of the IETF in the first place, and keen to not let everything I touched get over-complicated.
Bron.
--
Bron Gondwana, CEO, Fastmail Pty Ltd
brong@xxxxxxxxxxxxxxxx
