On Mon, Sep 20, 2010 at 4:01 PM, Jonathan Rochkind <[log in to unmask]> wrote:
> Can you give some details (or references) to justify the belief that OAuth
> isn't ready yet? (The fact that Twitter implemented it poorly does not seem
> apropos to me, that's just a critique of Twitter, right?).
>
> I don't agree or disagree, just trying to take this from fud-ish rumor to
> facts to help me and others understand and make decisions.
Agreed on this assessment, Jonathan. MJ, can you extrapolate on your
concerns, because that Ars Technica article is not going to cut it for
anything more than to avoid the choices that Twitter made.
And even by the standards of that article, I'm not sure that OAuth is
inappropriate for the ILS-DI's use cases which are:
1) server-to-server communication as the first priority
2) something relatively standardized and abstracted enough to allow
for institutions' local authentication mechanisms.
To quote from that article:
"To be clear, I don't think that OAuth is a failure or a dead end. I
just don't think that it should be treated as an authentication
panacea to the detriment of other important security considerations.
What it comes down to is that OAuth 1.0a is a horrible solution to a
very difficult problem. It works acceptably well for server-to-server
authentication, but there are far too many unresolved issues in the
current specification for it to be used as-is on a widespread basis
for desktop applications. It's simply not mature enough yet.
Even in the context of server-to-server authentication, OAuth should
be viewed as a necessary evil rather than a good idea. It should be
approached with extreme trepidation and the high level of caution that
is warranted by such a convoluted and incomplete standard. Careless
adoption can lead to serious problems, like the issues caused by
Twitter's extremely poor implementation.
As I have written in the past, I think that OAuth 2.0—the next version
of the standard—will address many of the problems and will make it
safer and more suitable for adoption. The current IETF version of the
2.0 draft still requires a lot of work, however. It still doesn't
really provide guidance on how to handle consumer secret keys for
desktop applications, for example. In light of the heavy involvement
in the draft process by Facebook's David Recordon, I'm really hopeful
that the official standard will adopt Facebook's sane and reasonable
approach to that problem."
Which basically spells out the problem the ILS-DI group is facing: an
incomplete, but evolving standard with heavy industry support, or...
nothing.
We are still very much in the fact-gathering stage, so any suggestions
are welcome. At the glacial pace of library development, I think it's
safe to assume OAuth 2.0 will be less of a moving target by any
implementation stage.
-Ross.
|