LISTSERV 16.5 - CODE4LIB Archives

Jonathan Rochkind wrote:
> Can you give some details (or references) to justify the belief that 
> OAuth isn't ready yet?  (The fact that Twitter implemented it poorly 
> does not seem apropos to me, that's just a critique of Twitter, right?).
> 
> I don't agree or disagree, just trying to take this from fud-ish rumor 
> to facts to help me and others understand and make decisions.

The problems with Twitter's poor implementation have been compounded
by bad management decisions like switching off HTTP authentication and
an amazing policy on key invalidation, but I agree that's not the
fault of OAuth.

The key point is in the http://bit.ly/c88aa7 that Joe posted: how can
one publish an OAuth-using client that's not easy to impersonate?

Requiring every user to fill out registration forms and cut-and-paste
key strings into a client is not going to fly, so it seems like it
can't be done except on a very locked-down platform, because the
consumer secret is distributed to users' systems in the app.  So you
either ignore the key parts of the 1.0a version (which means that the
standard needs revision IMO, so is not ready yet), or you jump ahead
to the 2.0 draft, which is not ready yet because it's still a draft.

Personally, I think the right answer would have been to keep HTTP
authentication over HTTPS and have some slick way of creating
subsidiary usernames with limited privileges for apps, but there's
probably some better solution that I'm missing.

Aside 1: will 2.0 ever work and be ready?  Its editor Eran
Hammer-Lahav criticises its current state at
http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/

Aside 2: to be fair, I'll point out that Eran Hammer-Lahav criticises
the ars.technica article at
http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/
but does mention that "there is no solution [...] for a distributed
application" - does that mean OAuth isn't fit for FOSS?

Hope that helps,
-- 
MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op.
Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer.
In My Opinion Only: see http://mjr.towers.org.uk/email.html
Available for hire for Koha work http://www.software.coop/products/koha