W3C home > Mailing lists > Public > www-tag@w3.org > March 2013

Re: Interesting critique of OAuth by one of its creators

From: John Kemp <john@jkemp.net>
Date: Fri, 22 Mar 2013 08:51:28 -0700
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <28F0BE1E-D54B-4E57-8F56-668DD2FE4987@jkemp.net>
To: Noah Mendelsohn <nrm@arcanedomain.com>
Noah,

On Mar 22, 2013, at 8:31 AM, Noah Mendelsohn wrote:

> Eran Hammer has published a detailed critique of OAuth at [1].

It's worth noting that "insane coder" does NOT appear to be Eran Hammer. Eran did indeed make several of the same points, but this article does not seem to be his work. FWIW Slashdot does write their introduction in a manner likely to make it look as if "insane coder" is Eran.

> Well worth reading for anyone interested in Web authentication. His conclusion:
> 
> "If you're looking to implement authorization for your website, I recommend to sticking with well understood secure designs, such as HTTP Basic Authentication over SSL/TLS (or HTTP Digest Authentication)."
> 
> He then goes on to suggest more elaborate schemes for cases in which access to 3rd party software is desired.

The article itself does not seem to mention that these criticisms are leveled at OAuth version 2, rather than the smaller and more efficient OAuth 1.0a protocol which is used by many for API authorization, and for which the OAUTHSHA1 mechanism is well-specified (in my opinion, certainly, but after I have implemented it at least 3 times in different languages for different customers). 

OAuth 2 is an "authorization framework", not an "authorization protocol".

If you want a standard for OAuth, I heartily agree with Eran and others that OAuth 1.0a [1] is the best choice for the original OAuth use-cases. It solves a real use-case, and does that specifically and efficiently. 

JohnK

[1] http://tools.ietf.org/html/rfc5849

> 
> BTW: the above is by way of Slashdot.
> 
> Noah
> 
> [1] http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
> [2] http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
> 
Received on Friday, 22 March 2013 15:52:08 GMT

This archive was generated by hypermail 2.3.1 : Friday, 22 March 2013 15:52:08 GMT