Thanks for the link, Scott. On first reading, Eran Hammer's criticism seems damning. However, what he's essentially saying is that the OAuth 2.0 spec in itself is too flexible and extensible, allowing naive developers to produce non-secure implementations, and also that two "spec-compliant" implementations may be non-interoperable.
As we know from the Web Services experience, this is the sort of thing that can be fixed with an Interoperability Profile (e.g., WS-I Basic Profile). He did admit that there are implementations that are straightforward, simple and secure. So I'm sure there will be a second level of standardisation to fix the problems he's pointing out. It doesn't mean that OAuth 2.0 is unusable. That would be reading too much into it. My blog on this has more detail: http://wisdomofganesh.blogspot.com.au/2012/07/oauth2-whom-to-believe.html Regards, Ganesh Prasad On 29 July 2012 08:55, Scott Battaglia <scott.battag...@gmail.com> wrote: > Interesting read as we attempt to evaluate which standards make the most > sense for CAS to support: > http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ > > Cheers, > Scott > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > g.c.pra...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
