- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 17 Aug 2025 12:50:54 -0400
- To: W3C Credentials Community Group <public-credentials@w3.org>
- Cc: Tim Bouma <trbouma@gmail.com>
On Wed, Aug 13, 2025 at 5:18 PM Tim Bouma <trbouma@gmail.com> wrote: > Several months back I took a hard look at OAuth and what I learned from my implementation endeavour, I wrote this. > > https://open.substack.com/pub/trbouma/p/why-i-can-no-longer-support-oauth This is an excellent article, Tim. It matches our experience at Digital Bazaar implementing both OAuth2 and the OID4VCI/OID4VP protocols. We have repeatedly experienced developers in the ecosystem accidentally leak their credentials via OAuth2 because of a lack of understanding in how it works, or the pitfalls with "framework-based standards". OAuth2 was what drove us to incubate and standardize HTTP Signatures, which does at least depend on cryptography to prove authorization. Dick Hardt has recently written a related post on how OAuth2 is not a good fit for things like MCP (and how HTTP Message Signatures are better): https://www.linkedin.com/posts/dickhardt_mcp-oauth-ai-activity-7358178115673616384-RKzc/ ... granted, he still tries to loop OAuth2 back into the mix (a mistake, IMHO -- we should just leave OAuth2 behind and move on to stuff like Authorization Capabilities), but dropping the complicated OAuth2 dances for clients is certainly an improvement. In any case, just wanted to echo what you wrote Tim -- OAuth2 was better than sharing passwords a decade or more ago, but we need to move on to real cryptographic authentication, authorization, and delegation. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Sunday, 17 August 2025 16:51:34 UTC