Slashdot Mirror

← Back to Stories (view on slashdot.org)

OAuth 2.0 Standard Editor Quits, Takes Name Off Spec

Posted by Soulskill on from the none-of-us-are-as-dumb-as-all-of-us dept.

New submitter tramp writes "The Register reports, 'Eran Hammer, who helped create the OAuth 1.0 spec, has been editing the evolving 2.0 spec for the last three years. He resigned from his role in June but only went public with his reasons in a blog post on Thursday. "At the end, I reached the conclusion that OAuth 2.0 is a bad protocol," Hammer writes. "WS-* bad. It is bad enough that I no longer want to be associated with it."' At the end of his post, he says, 'I think the OAuth brand is in decline. This framework will live for a while, and given the lack of alternatives, it will gain widespread adoption. But we are also likely to see major security failures in the next couple of years and the slow but steady devaluation of the brand. It will be another hated protocol you are stuck with.'"

5 of 101 comments (clear)

  1. Re:WordStar? by Anonymous Coward · · Score: 5, Informative

    It references the plethora of crappy standards created during the SOAP era. (WS-Security, WS-Routing, WS-Addressings, WS-YourMom)

  2. Re:WordStar? by luis_a_espinal · · Score: 4, Informative

    I have never seen "ws-*" before... reference please?

    Ask and ye shall receive.

    http://en.wikipedia.org/wiki/WS-*

    http://lmgtfy.com/?q=ws-*

    Courtesy of wikipedia and google.

  3. Re:WordStar? by dkf · · Score: 5, Informative

    What's WS-* supposed to mean...

    It refers to the plethora of web-services specifications, most of which take a fairly complicated protocol (XML over HTTP) and add huge new layers of mind-boggling complexity.

    You don't ever need WS-*, except when you find you do because you're dealing with the situations that the WS-* protocol stack was designed to deal with. When that happens, you'll reinvent it all. Badly. JSON isn't better than XML, nor is YAML; what they gain in succinctness and support for syntactic types, they lose at the semantic level. REST isn't better than SOAP, it's just different, and security specifications in the REST world are usually hilariously lame. Then there's the state of service description, where WSDL is the only spec that's ever really gained really wide traction. WS-* depresses me; I believe we should be able to do better, but the evidence of what happens in practice doesn't support that hunch.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  4. Re:v1 was bullshit too by Mark+Atwood · · Score: 5, Informative

    I was there, I helped write v1.

    The reason you had to sort the parameters etc etc was because OAuth 1.0 was designed to be implementable by a PHP script running under Apache on Dreamhost. Which meant you didn't get access to the HTTP Authentication header, and you didn't get access to the complete URL that was accessed. So we had to work out a way to canonicalize the URL to be signed from what we could guarantee you'd have: the your hostname, your base url path, and an unsorted bag of url parameters. Believe me, we *wished* for a straightforward URL canonicalization standard we could reference. None existed. So we cussed a lot, bit the bullet, and wrote one that was fast and simple as possible: sort the parameters and concatenate them.

    Go yell at the implementors of Apache and of PHP. If we could have guaranteed that you'd have access to an unmangled Authentication: HTTP header, the OAuth 1.0 spec would have been 50% shorter and a hell of a lot easier to implement.

  5. Re:WordStar? by shutdown+-p+now · · Score: 3, Informative

    The problem with SOAP and WS-* stuff isn't XML. It's rather that it takes, IIRC, five levels of nesting of said XML to call a simple web service that takes an integer and returns another one. In other words, it's ridiculously overengineered for the simple and common cases, while supposedly covering some very complicated scenarios better - a claim that I cannot really verify since I've never in my life seen system architecture, even in the "enterprise", where that complexity was actually useful.