W3C home > Mailing lists > Public > www-tag@w3.org > March 2013

Interesting critique of OAuth by one of its creators

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Fri, 22 Mar 2013 11:31:07 -0400
Message-ID: <514C793B.4010809@arcanedomain.com>
To: "www-tag@w3.org" <www-tag@w3.org>
Eran Hammer has published a detailed critique of OAuth at [1]. Well worth 
reading for anyone interested in Web authentication. His conclusion:

"If you're looking to implement authorization for your website, I recommend 
to sticking with well understood secure designs, such as HTTP Basic 
Authentication over SSL/TLS (or HTTP Digest Authentication)."

He then goes on to suggest more elaborate schemes for cases in which access 
to 3rd party software is desired.

BTW: the above is by way of Slashdot.

Noah

[1] 
http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
[2] 
http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
Received on Friday, 22 March 2013 15:31:34 GMT

This archive was generated by hypermail 2.3.1 : Friday, 22 March 2013 15:31:35 GMT