Re: Why I can no longer support OAuth2 (was: Re: Why can't I pay using a Verifiable Credential?)

Why not move on to GNAP. It includes HTTP Message Signatures and can
accommodate capabilities for attenuated delegation? It also fixes most,
if not all, Oauth security issues.

- Adrian

On Sun, Aug 17, 2025 at 12:53 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On Wed, Aug 13, 2025 at 5:18 PM Tim Bouma <trbouma@gmail.com> wrote:
> > Several months back I took a hard look at OAuth and what I learned from
> my implementation endeavour, I wrote this.
> >
> >
> https://open.substack.com/pub/trbouma/p/why-i-can-no-longer-support-oauth
>
> This is an excellent article, Tim. It matches our experience at
> Digital Bazaar implementing both OAuth2 and the OID4VCI/OID4VP
> protocols. We have repeatedly experienced developers in the ecosystem
> accidentally leak their credentials via OAuth2 because of a lack of
> understanding in how it works, or the pitfalls with "framework-based
> standards".
>
> OAuth2 was what drove us to incubate and standardize HTTP Signatures,
> which does at least depend on cryptography to prove authorization.
>
> Dick Hardt has recently written a related post on how OAuth2 is not a
> good fit for things like MCP (and how HTTP Message Signatures are
> better):
>
>
> https://www.linkedin.com/posts/dickhardt_mcp-oauth-ai-activity-7358178115673616384-RKzc/
>
> ... granted, he still tries to loop OAuth2 back into the mix (a
> mistake, IMHO -- we should just leave OAuth2 behind and move on to
> stuff like Authorization Capabilities), but dropping the complicated
> OAuth2 dances for clients is certainly an improvement.
>
> In any case, just wanted to echo what you wrote Tim -- OAuth2 was
> better than sharing passwords a decade or more ago, but we need to
> move on to real cryptographic authentication, authorization, and
> delegation.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>
>