Wow, did Eran Hammer ever go off. His noisy slamming of the OAuth 2 door behind him has become a news story. I have opinions too.
First of all, if you read his (long-ish) piece, you pretty much owe it to yourself to read the (very long) comments too.
Second: I’m kind of a n00b here. I’m a crypto cretin, a PKI peasant, an attribute-exchange airhead, and have been known to confuse authentication with authorization. Having said that:
I’ve spent a lot of time, the last few months, getting to grips with real actual OAuth 2 software, and
I’ve learned over the years that when you’re in the process of first using a new technology, that’s a good time to write about it.
Disclosure: I don’t know Eran. I’ve heard plenty of strong opinions about him from people who do. You can go out and find ’em on the Net if you think it’s material.
First Take-Away · Google offers a buttload of APIs. They are used by a frightening number of people (and robots) coming from a frightening variety of software platforms. Some of them involve the interchange of large amounts of real-money value.
For a large and increasing proportion, if you want to get your app authorized for the API, it’s OAuth 2 or nothing. It works. There are prepackaged libraries, or you can go RESTful and jam POSTs and GETs at the auth endpoints. I’ve done both. Lots of people are doing this.
In particular, it works well with Android. Or, at least it will when Google Play Services releases (to all compatible 2.2-or-later devices) in the near future. I’ll have lots more to say, and open-source code to share, when that happens. But the user experience is fine, the security is good enough for our internal gorgons, and the API, while not trivial, is tractable.
And in general, it’s way better than what we offered before. Aaaaand... no passwords!
Interop? · OAuth 2 is useful today. It would be more useful if you could take the exact same code you used to authorize your GMail address to get at your Google+ history, and use it to authorize your Facebook account for your MineVille guild. Or... (radical idea) authorize your Google/Facebook account for your Facebook/Google resources!
I haven’t tried those, but I doubt it works out of the box. I haven’t the vaguest idea whether, with some evolution in software and judicious spec subsetting, it will become workable. Interop isn’t a binary pass/fail anyhow; the question is whether the cost/benefit ratio (and there always is one) makes you happy. Suppose it never really becomes practical; does that mean OAuth 2 is a failure, as Eran claims? I dunno. Not being rhetorical, I really don’t.
Enterpriseyness · One of Eran’s central gripes is the immense difficulty of knitting “Enterprise” requirements into OAuth — or any other standards work, for that matter. He’s right. The Web use cases may not be easy to solve, but they’re easy to understand. There’s a resource, there’s a party hosting it, how do you prove to that party that your HTTP GET is on behalf of someone or something which has been properly authenticated and authorized? There are variations depending on whether you’re coming from a Web server that can keep secrets or a mobile app that can’t, and whether you need long-term or short-term access, but it’s really not that arcane.
On the other hand, whenever I get into a conversation with someone on the Enterprise side, even when I think I understand the problem domain, I lose the plot, and fast. The requirements these people claim to have around both authentication and authorization are so arcane and subtle and legacy-laden that you have to be a full-time professional to even understand them.
Also, some of them seem to exist to serve goals that seem to me like a good reason to short the stock of any company wanting that shit.
Maybe it’s just that I don’t understand, which usually seems to be the case when I get into this territory. On the other hand, maybe they’re Doing It Wrong.
Having said all that, OAuth 2 may not be perfect, and may have been harmed by the Enterprise crap, but the core of Web functionality (all I care about) seems to have survived.
What To Do With the Spec? · It has a new editor. The IETF is meeting next week (In Vancouver! I’m going). So I’ve been asking around, both inside Google and among others I respect, and people are singing the same song about the core OAuth 2 stuff:
It’s done. Stick a fork in it. Ship the RFCs.
Standards-Making · It’s easy to conclude that Eran’s pissed at the IETF. That’s a bit unfair; to start with, he seems to be pissed at everyone, and if you dive into the comments, he has some reasonable things to say about the IETF.
This hasn’t stopped a bunch of pomo Web π.0 hipsters from leaping in and shaking their heads about the suckitude of the IETF. Those guys can blow it out their shorts.
Standards-making is a boring, bureaucratic, unpleasant process, infested by difficult people and psychopathic institutions. Some “standards” turn out to be useful; most are ignored; some are actively harmful. And looking at which organization the standard came from turns out to not be very useful in predicting what’s going to happen.
And the IETF has, more or less, designed the Internet. Which said hipsters are now going to use to tell me I’m clueless. Ever hear of “irony”?