Re: Interesting critique of OAuth by one of its creators from Melvin Carvalho on 2013-03-22 (www-tag@w3.org from March 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 22 Mar 2013 17:05:45 +0100
To: John Kemp <john@jkemp.net>
Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <CAKaEYhKftmD_DLHa60tS_=KuqOXr-K6jpqMT6FnnHkPy61JhPw@mail.gmail.com>

On 22 March 2013 16:51, John Kemp <john@jkemp.net> wrote:

> Noah,
>
> On Mar 22, 2013, at 8:31 AM, Noah Mendelsohn wrote:
>
> > Eran Hammer has published a detailed critique of OAuth at [1].
>
> It's worth noting that "insane coder" does NOT appear to be Eran Hammer.
> Eran did indeed make several of the same points, but this article does not
> seem to be his work. FWIW Slashdot does write their introduction in a
> manner likely to make it look as if "insane coder" is Eran.
>
> > Well worth reading for anyone interested in Web authentication. His
> conclusion:
> >
> > "If you're looking to implement authorization for your website, I
> recommend to sticking with well understood secure designs, such as HTTP
> Basic Authentication over SSL/TLS (or HTTP Digest Authentication)."
> >
> > He then goes on to suggest more elaborate schemes for cases in which
> access to 3rd party software is desired.
>
> The article itself does not seem to mention that these criticisms are
> leveled at OAuth version 2, rather than the smaller and more efficient
> OAuth 1.0a protocol which is used by many for API authorization, and for
> which the OAUTHSHA1 mechanism is well-specified (in my opinion, certainly,
> but after I have implemented it at least 3 times in different languages for
> different customers).
>
> OAuth 2 is an "authorization framework", not an "authorization protocol".
>
> If you want a standard for OAuth, I heartily agree with Eran and others
> that OAuth 1.0a [1] is the best choice for the original OAuth use-cases. It
> solves a real use-case, and does that specifically and efficiently.
>

While most of the references are to "OAuth", rfc6749 is quoted and linked
to, which is OAuth2


>
> JohnK
>
> [1] http://tools.ietf.org/html/rfc5849
>
> >
> > BTW: the above is by way of Slashdot.
> >
> > Noah
> >
> > [1]
> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
> > [2]
> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
> >
>
>
>

Received on Friday, 22 March 2013 16:06:18 UTC