OAuth is complex. Witness last weeks crazy rush to fix something that was visible in the protocol all along. But no one saw it ... most likely because of protocol complexity.
Seeing as Kent's confessions are mostly around signature: it's odd that an authorization protocol needs to specify signature mechanisms ... at all. The end result of an OAuth protocol flow is: * some state on the provider, and * some manifestation of this state on the consumer, who uses this to authenticate the provider when accessing the resource. An authz protocol should encompass how to clearly describe resources, operations, and parties authorized. To do that you really need no other info than URLs and operations. There is no need to bounce this information via the consumer: * The consumer performs an operation on a resource, and * The provider checks to see whether the consumer is allowed. The manner in which the provider authenticates the consumer should be completely independent from the authorization protocol. Forcing any style of authentication is a bit draconian. (A token is tied to a secret for authentication) There are also other issues with baking this all into one protocol. For example, only the provider has to be the one issuing and consuming tokens. This format is opaque. This means I cannot issue my own authorizations -- ahead of time if I wants -- nor can I move them around providers... For some reason OAuth came out as a bit of a REST anti-pattern. Access to resources now are shrouded inside an odd mix of additional protocol flows and signature mechanisms. With non-easily addressable consumers (like desktop apps) you run into the "turtles all the way down" problem when introducing authentication inside an authorization protocol: you can issue secrets and tokens to an app, or try one of the n-legged approaches, but they fail as you never can be sure who or what you're ultimately authenticating. I'm probably rambling a bit, just some thoughts, Hans On Mon, Apr 27, 2009 at 10:42 PM, Chris Messina <[email protected]> wrote: > Is OAuth this hard for everyone else? > http://kentbrewster.com/oauth-confessions/ > *Sniff*. > Chris > > > -- > Chris Messina > Open Web Advocate > > factoryjoe.com // diso-project.org // openid.net // vidoop.com > This email is: [ ] bloggable [X] ask first [ ] private > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
