OAuth 2.0 editor asked to cross out your name from specifications

Eran Hammer (Eran Hammer), one of the authors of OAuth 1.0 specifications, as well as the current editor of the emerging standard OAuth 2.0 , announced his resignation after three years of work on a new standard, and asked to cross out his name from the specifications.

In a personal blog specialist explained the reasons for such an act . In a nutshell, after processing in the IETF, OAuth 2.0 has turned into a bad standard. “He’s so bad that I no longer want my name to be associated with him,” writes Eran Hammer, although he notes that after three years of hard work, this decision was not easy for him. The discussion of the new standard in the IETF has led to many compromises, resulting in specifications that do not satisfy the two basic principles of interoperability and security. So, one of the compromises was renaming a protocol into a framework, and another compromise was the addition of a statement that specifications are unlikely to provide compatible implementations . Even the example of Facebook shows that developers ignore important parts of OAuth 2.0, and this despite the fact that on Facebook, one of the authors of the specifications deals with the implementation of this technology.

Compared to 1.0, 2.0 specifications are more complex, less compatible, less convenient to use, less complete and, most importantly, less secure, says Hummer. In the hands of an intelligent developer, OAuth 2.0 can be a well-protected system, but in the hands of most developers, as the experience of the last two years shows, it will be the opposite.
')
The reason for such a sad situation with OAuth 2.0, said one of the authors of the standard, was the disagreement between the representatives of web development and the corporate world. At first, all the representatives from the Internet community were in the working group, but gradually they left it, and in the end there were only representatives of the corporate world and Eran Hammer himself. While web developers wanted an improved version of OAuth 1.0 with fixes in the required areas, representatives of the corporate world wanted a framework that they could easily integrate into their existing corporate systems. As a result, a framework was created that allows virtually any extensions, so that almost any system can be called OAuth 2.0-compatible.

At the end of his blog post, Eran Hummer writes: “I think the OAuth brand is aiming for sunset. The framework will still live for a while, and in the absence of competition it will be widely used. But at the same time, we are likely to face serious security vulnerabilities over the next few years, followed by a slow but inexorable brand discredit. It will be another one of those protocols that everyone hates, but cannot refuse it. ”

In general, giving OAuth to standardize in the IETF was a big mistake. It is a pity that it took three years to understand this. To illustrate his position, Eran Hammer even posted a blog illustration of the words “They killed OAuth. Bastards!

Eran Hammer does not recommend upgrading to OAuth 2.0 for those who are already successfully using OAuth 1.0.

It should be noted that the same situation in the IETF with the complication and discredit of a good standard occurred in the case of WebSocket : according to Ian Hickson, the design of this protocol became worse after the “processing” in the IETF, although not to the extent OAuth.