W3C home > Mailing lists > Public > public-webpayments@w3.org > March 2013

Another nail in the OAuth2 coffin

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 22 Mar 2013 12:00:04 -0400
Message-ID: <514C8004.3080101@digitalbazaar.com>
To: Web Payments CG <public-webpayments@w3.org>
We had used OAuth1 in the early versions of the PaySwarm
implementation and eventually ended up dropping it for a variety of reasons:

1. OAuth2 was so complicated that we couldn't see it as providing the
   basis for a payments solution that would scale as the community
   grew (and integrated less security-savvy folks).
2. OAuth1 wasn't as good as the Web Key solution, and OAuth2 was
   worse in many ways compared to the Web Key solution.
3. The implementation burden was far more complex than it needed to
   be, and implementation burden is really important when it comes
   to technology adoption.

So, we used Web Key and waited for implementers to start speaking out
against OAuth2. The first big event showing that OAuth2 was probably
going to be a failure was when Eran Hammer (the creator of OAuth)
resigned and removed his name from the spec for some of the reasons I
outlined above:


Now, developers are starting to chime in about how awful it is to build
a secure, inter-operable OAuth2 implementation:


Glad to hear that people are figuring this stuff out now instead of
later. What would have been truly horrible is if developers thought
there was no issue with OAuth2, implementations proceeded, and the Web
would have gotten hit with countless OAuth2-related security breaches as
a result.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
President/CEO - Digital Bazaar, Inc.
blog: Aaron Swartz, PaySwarm, and Academic Journals
Received on Friday, 22 March 2013 16:00:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:22 UTC