 |
 |
On Mon, Sep 20, 2010 at 4:01 PM, Jonathan Rochkind <[log in to unmask]> wrote: > Can you give some details (or references) to justify the belief that OAuth > isn't ready yet? (The fact that Twitter implemented it poorly does not seem > apropos to me, that's just a critique of Twitter, right?). > > I don't agree or disagree, just trying to take this from fud-ish rumor to > facts to help me and others understand and make decisions. Agreed on this assessment, Jonathan. MJ, can you extrapolate on your concerns, because that Ars Technica article is not going to cut it for anything more than to avoid the choices that Twitter made. And even by the standards of that article, I'm not sure that OAuth is inappropriate for the ILS-DI's use cases which are: 1) server-to-server communication as the first priority 2) something relatively standardized and abstracted enough to allow for institutions' local authentication mechanisms. To quote from that article: "To be clear, I don't think that OAuth is a failure or a dead end. I just don't think that it should be treated as an authentication panacea to the detriment of other important security considerations. What it comes down to is that OAuth 1.0a is a horrible solution to a very difficult problem. It works acceptably well for server-to-server authentication, but there are far too many unresolved issues in the current specification for it to be used as-is on a widespread basis for desktop applications. It's simply not mature enough yet. Even in the context of server-to-server authentication, OAuth should be viewed as a necessary evil rather than a good idea. It should be approached with extreme trepidation and the high level of caution that is warranted by such a convoluted and incomplete standard. Careless adoption can lead to serious problems, like the issues caused by Twitter's extremely poor implementation. As I have written in the past, I think that OAuth 2.0—the next version of the standard—will address many of the problems and will make it safer and more suitable for adoption. The current IETF version of the 2.0 draft still requires a lot of work, however. It still doesn't really provide guidance on how to handle consumer secret keys for desktop applications, for example. In light of the heavy involvement in the draft process by Facebook's David Recordon, I'm really hopeful that the official standard will adopt Facebook's sane and reasonable approach to that problem." Which basically spells out the problem the ILS-DI group is facing: an incomplete, but evolving standard with heavy industry support, or... nothing. We are still very much in the fact-gathering stage, so any suggestions are welcome. At the glacial pace of library development, I think it's safe to assume OAuth 2.0 will be less of a moving target by any implementation stage. -Ross.