Re: Why I can no longer support OAuth2 (was: Re: Why can't I pay using a Verifiable Credential?) from Dmitri Zagidulin on 2025-08-17 (public-credentials@w3.org from August 2025)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Sun, 17 Aug 2025 15:17:41 -0700
To: Adrian Gropper <agropper@healthurl.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials Community Group <public-credentials@w3.org>, Tim Bouma <trbouma@gmail.com>
Message-ID: <CANnQ-L7vT=N4K8GMC0KpCSTnvUF4YDA0_8QhdK2HAAanHo-NTQ@mail.gmail.com>

Hi Adrian,
So, unfortunately,  GNAP does not have anything in it about attenuated
delegation.

(But it IS an excellent protocol for /requesting/ things like access tokens
& capabilities; I always recommend it.)

On Sun, Aug 17, 2025, 10:07 AM Adrian Gropper <agropper@healthurl.com>
wrote:

> Why not move on to GNAP. It includes HTTP Message Signatures and can
> accommodate capabilities for attenuated delegation? It also fixes most,
> if not all, Oauth security issues.
>
> - Adrian
>
> On Sun, Aug 17, 2025 at 12:53 PM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> On Wed, Aug 13, 2025 at 5:18 PM Tim Bouma <trbouma@gmail.com> wrote:
>> > Several months back I took a hard look at OAuth and what I learned from
>> my implementation endeavour, I wrote this.
>> >
>> >
>> https://open.substack.com/pub/trbouma/p/why-i-can-no-longer-support-oauth
>>
>> This is an excellent article, Tim. It matches our experience at
>> Digital Bazaar implementing both OAuth2 and the OID4VCI/OID4VP
>> protocols. We have repeatedly experienced developers in the ecosystem
>> accidentally leak their credentials via OAuth2 because of a lack of
>> understanding in how it works, or the pitfalls with "framework-based
>> standards".
>>
>> OAuth2 was what drove us to incubate and standardize HTTP Signatures,
>> which does at least depend on cryptography to prove authorization.
>>
>> Dick Hardt has recently written a related post on how OAuth2 is not a
>> good fit for things like MCP (and how HTTP Message Signatures are
>> better):
>>
>>
>> https://www.linkedin.com/posts/dickhardt_mcp-oauth-ai-activity-7358178115673616384-RKzc/
>>
>> ... granted, he still tries to loop OAuth2 back into the mix (a
>> mistake, IMHO -- we should just leave OAuth2 behind and move on to
>> stuff like Authorization Capabilities), but dropping the complicated
>> OAuth2 dances for clients is certainly an improvement.
>>
>> In any case, just wanted to echo what you wrote Tim -- OAuth2 was
>> better than sharing passwords a decade or more ago, but we need to
>> move on to real cryptographic authentication, authorization, and
>> delegation.
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> https://www.digitalbazaar.com/
>>
>>

Received on Sunday, 17 August 2025 22:17:57 UTC