W3C home > Mailing lists > Public > www-tag@w3.org > March 2013

Re: Interesting critique of OAuth by one of its creators

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 22 Mar 2013 16:51:44 +0100
Message-ID: <CAKaEYhJ_gPbt_vuT4sUBnVDzSgLN+ZDncOHYXyvBMO+RrXw-dA@mail.gmail.com>
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
On 22 March 2013 16:31, Noah Mendelsohn <nrm@arcanedomain.com> wrote:

> Eran Hammer has published a detailed critique of OAuth at [1]. Well worth
> reading for anyone interested in Web authentication. His conclusion:
>
> "If you're looking to implement authorization for your website, I
> recommend to sticking with well understood secure designs, such as HTTP
> Basic Authentication over SSL/TLS (or HTTP Digest Authentication)."
>
> He then goes on to suggest more elaborate schemes for cases in which
> access to 3rd party software is desired.
>

Some excellent points raised.  Much of this arises out of the Trusted Third
Party model of delegated credentials, which is a valuable use case, but one
with limitations.

I believe Eran missed something that is of architectural importance.  That
is that "Identity" and "Authentication" are related, but separate,
challenges.  Very often a solution will couple the two tightly together,
when they need not be, and this can be problematic.

Basic Auth over TLS really isnt bad as an "Authentication" solution, but is
lacking as an "Identity" solution.

When we have a mainstream system able to solve both (and I think WebID has
potential here) many of the issues will be able to have cleaner, and more
secure, solutions.


>
> BTW: the above is by way of Slashdot.
>
> Noah
>
> [1] http://insanecoding.blogspot.**com/2013/03/oauth-great-way-**
> to-cripple-your-api.html<http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html>
> [2] http://tech.slashdot.org/**story/13/03/22/1439235/a-**
> truckload-of-oauth-issues-**that-would-make-any-author-**quit<http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit>
>
>
Received on Friday, 22 March 2013 15:52:15 GMT

This archive was generated by hypermail 2.3.1 : Friday, 22 March 2013 15:52:15 GMT