Head in the Clouds: SaaS, PaaS, and Cloud Strategy

Aug 6 2012   1:21PM GMT

Debate over OAuth 2.0 rages on

Adam Riglian Profile: Adam Riglian

The Internet Engineering Task Force’s Vancouver meeting didn’t exactly have reporters scrambling for their notebooks, but the news that came out of the six-day event that ended Friday has had bloggers clacking keys across the web.

The specs for OAuth 2.0, the protocol for token-based authentication that has gained wide acceptance among web developers, were being debated at the conference and the direction of that debate agitated the protocol’s original author, Eran Hammer, to the point where he stormed out. The colorful language he used to describe the process belied the mundaneness of the standardization process.

Hammer took issue with the direction OAuth 2.0 was taking, saying it was on “the road to Hell.” While he went biblical, others affected by the process took a more measured approach.

Scott Morrison pegged Hammer’s pains as being a classic example of the founder’s problem. The CTO of Vancouver-based API management company Layer7, Morrison praised Hammer for his problem-solving with OAuth 1.0, but added that other people were bound to come into the process and expand it.

“Because it suddenly became so important and people realized it could be much more than the original vision, it moved up into the sort of old-style formalization,” Morrison said. “That’s a huge change, that’s a cultural change and I think that’s where the problem really came about.”

Morrison describes the changing world of standardization and the influence of grassroots developers on it. He said OAuth was the best example of developers getting together and solving a problem independent of vendors, analysts and standards groups.

Not all the pains are cultural. Among the critical changes in OAuth 2.0 is a switch from digital signatures to secure sockets layer (SSLs) in securing tokens. Morrison believes that the change was made because SSL is much simpler and is the standard for securing things like credit card transactions, something that would be familiar to developer’s with a more basic skill set.

“In some respects, it’s maybe not as pure or perfect a solution as using digital signatures, but it gets you there in the end,” Morrison said.

While it may not be as perfect, Morrison believes that SSL will ultimately lead to better security because it is simpler. He said the risk of developer mistakes in more complicated security procedures is higher than any problems with SSL.

Morrison still thinks there’s value in OAuth 2.0 and that developers using it aren’t on a path to damnation. But, he would like to see a simpler specification put out so that everyone can move forward.

“My head starts to spin when I start to read the OAuth 2.0 specs,” he said. “It’s up to all of us in the community to communicate what it’s about and build the infrastructure around it to make it easier to use.”

— @AdamRiglian

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • IT Blog Top 10: How HP got hurt - ITKE Community Blog
    [...] Is OAuth 2.0 on “the road to Hell”? Protocol author Eran Hammer thinks so, and Adam Riglian details his response at last week’s Internet Engineering Task Force meeting [...]
    0 pointsBadges:
  • APIs in the news as App.net trawls for dollars - SOA Talk
    [...] weeks have seen clamor in the ranks of the OAuth API standardization effort, as well as a high-visibility launch of an alternative to Twitter APIs. In the first case, an OAuth [...]
    0 pointsBadges:
  • IT Blog Top 10: The end of RIM? - ITKE Community Blog
    [...] did Eran Hammer storm out of the Internet Engineering Task Force’s recent meeting? Adam Riglian [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: