Jonathan Rochkind wrote: > Can you give some details (or references) to justify the belief that > OAuth isn't ready yet? (The fact that Twitter implemented it poorly > does not seem apropos to me, that's just a critique of Twitter, right?). > > I don't agree or disagree, just trying to take this from fud-ish rumor > to facts to help me and others understand and make decisions. The problems with Twitter's poor implementation have been compounded by bad management decisions like switching off HTTP authentication and an amazing policy on key invalidation, but I agree that's not the fault of OAuth. The key point is in the http://bit.ly/c88aa7 that Joe posted: how can one publish an OAuth-using client that's not easy to impersonate? Requiring every user to fill out registration forms and cut-and-paste key strings into a client is not going to fly, so it seems like it can't be done except on a very locked-down platform, because the consumer secret is distributed to users' systems in the app. So you either ignore the key parts of the 1.0a version (which means that the standard needs revision IMO, so is not ready yet), or you jump ahead to the 2.0 draft, which is not ready yet because it's still a draft. Personally, I think the right answer would have been to keep HTTP authentication over HTTPS and have some slick way of creating subsidiary usernames with limited privileges for apps, but there's probably some better solution that I'm missing. Aside 1: will 2.0 ever work and be ready? Its editor Eran Hammer-Lahav criticises its current state at http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/ Aside 2: to be fair, I'll point out that Eran Hammer-Lahav criticises the ars.technica article at http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/ but does mention that "there is no solution [...] for a distributed application" - does that mean OAuth isn't fit for FOSS? Hope that helps, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha