> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Pelle Braendgaard > Sent: Monday, October 05, 2009 5:49 PM
> Yes this post is negative, but it comes out of frustration. OAuth was > a community generated standard. All the libraries supporting it were > created by the community and all the people helping out on mailing > lists, irc etc are part of the community. Most of the people involved were doing it as part of their day job. A community does not implies the lack of corporate presence. At the time this extension was proposed, everyone was included and was invited to contribute and provide feedback. It was done openly and Yahoo! actively seeks feedback and advice from all the key contributors. It is hypocritical to complain about Yahoo!'s implementation a year after the extension was released because you are now forced to implement it to make a living. You can only blame yourself for purposely boycotting Yahoo!'s implementation until now (according to your own rant). > I find it very hard not to be negative about large companies trying to > force everyone into damaging community created standards. I am just > saying what a lot of people I have talked to are thinking and have > told me privately I don't care about what people told you in private. I trust the research I got from more reliable sources. This entire rant is your personal view on what is damaging the community. If I thought any of Yahoo!'s actions were damaging the community I would not be working there anymore. My *job* is to make sure Yahoo! works with the community and adjust its internal process and attitude to be only positive and supportive. And contrary to the bleak picture you are trying to paint, getting Yahoo! to do the right thing is an effortless part of my job. > Eran, I have a lot of respect for you and I really appreciate all the > work you have done, please do not take this as being anything against > you. I know what you are up against and have the utmost respect for > you and your vision for open standards. That's a funny way to show respect and appreciation. It's not like you didn't know where to reach Yahoo! team members and start by asking questions instead of a detailed public attack. I do take this personally because what you are saying is that me and others have failed to do our job and don't have the best of the community in mind. Yahoo! has been nothing but supportive of this community from the very first moment it got involved - it is an important *member* or the community. I also resent the implication in "what you are up against". You truly have no idea what you are ranting about. > But yes the open IPR process that everyone had agreed to got > intercepted and turned into a secret process due to Yahoo as you say > taking the lead. Everyone was frustrated with that whole process, > including I am sure you. This stalled the whole ratification of OAuth > for a unnecessarily long time. I know Microsoft also joined in there > and well, have they implemented OAuth as a result of your hard work? I > don't know what they have done since the OAuth Summit, but a quick > google search shows me that there is nothing yet from them more than a > year later. This paragraph is full of so many false claims... If "everyone had agreed to" there would not be any problem, but obviously not everyone agreed. Beside Google (and maybe Twitter and Dig, not sure if the individuals from those companies were acting on their behalf), no other company signed that agreement. The community knowingly used Yahoo!'s intellectual assets (Flickr and BBAuth) when it created the specification so it was clear we had to seek their approval once we decided to deal with IPR. The process was never secret but for practical purposes it included those who needed to sign it and it had enough community review to make sure the corporation are not doing anything wrong. You don't have to trust me, but I am sure everyone here trusts Gabe Wachob (who initiated this entire IPR process) and David Recordon who wrote the book on community-drive IPR process. The only thing the IPR process stalled was Yahoo!'s own implementation. It was the only company affected by the process because our legal team wanted to have it in place before adoption. It is not like anyone expected Yahoo! to sue anyone for this work. All the other companies had no problem deploying a spec without clear IPR terms and that included Google and MySpace. So other than my own personal time and that of the paid lawyers, who exactly suffered? We ended up with a better agreement which benefited the entire community. Microsoft involvement in the IPR process helped make it better. It also did not delay the process by a single day given that we had another company who *contributed* and was still negotiating the legal language. But more than anything else, getting Microsoft involved opened the dialog with Microsoft about participation in open specification and their current support of the OWF. Reaching out to Microsoft was my personal decision and one of the best decision I have made working on the OAuth IPR. And yet again, the community benefited, not Yahoo!. > But my rant was not about that IPR process, I fumed back then and > whatever life goes on. No. It was about trying to embarrass Yahoo! using anything you could find, even if it had nothing to do with your main plot line. Also, you were the only person who had a problem with the process (another unjustified rant), and once we made the document available for community review, neither you nor anyone else had any substantive feedback. > Harder to live with is broken standards and yes the OAuth Session > Extension is not compatible with higher level OAuth libraries as used > by the majority of developers. The individually authenticated OAuth > requests still follow the standard, there I agree. But the storage of > 3-4 extra fields along with an oversize token and having to implement > code to refresh the token when certain errors happen does not follow > the OAuth standard. > > The large token you provide does follow the standard, but is just very > inconvenient for lots of people who have to make database changes to > support it. This is a whole soup of arguments. Most of the libraries merely sign requests. The few that perform token management for the user work based on a few early implementation. OAuth does not have error codes or error handling so anything that spells it out is extending the standard. OAuth does not mention token size. Any expectation about that shows lack of understanding of the design and goals of the protocol. Being able to encode state into the token itself was always the goal. Same goes for using non-URI-safe characters in tokens. Tokens can be anything and a library that does not accommodate that is just a bad library (whether the spec should spell it out is a separate issue - either way it doesn't). > The problem with OAuth signatures is a low level problem for people > developing libraries. People trying to write their own OAuth > implementations from scratch are I'm sorry to say doing the wrong > thing. Regular developers should use libraries that encapsulate the > complexity or security really will be comprised. This is the thing I > think the security and infrastructure engineers who designed the > Session Extension don't realize. The migration to OAuth 1.0a was > necessary but has caused people a lot of problems because it changes > the flow. This doesn't change the fact that most libraries are of poor quality or incomplete and that still more developers refuse to use them. The *fact* is that most people are still trying to write their own code and have issues. In other words, Yahoo!'s developers both internally and externally find the spec itself too hard and find the libraries either incompatible with their platforms or their architecture. And don't get me started about feedback I have seen from the enterprise world. We have a good 1.0 spec. We are working to make 2.0 great and part of that will use innovative ideas from many sources, one of which is Yahoo!'s experience. > OAuth as well as OpenID are these strange specs that are a mix of API > and a Spec. They are complex because they to a certain extent need to > be complex. However they need to be written and standardized in a > standard way so library builders can hide the complexity of this for > the every day developer. This encapsulating is what breaks when you > create something like the refresh step that you can not hide behind a > simple method call. This ignores the fact that this refresh step is a security and deployment requirement. Yahoo! is committed to working with the community to make sure the next version of the spec accommodates these needs. And Yahoo! is far from alone. Google, Microsoft, AOL, and others all share these requirements which the current spec fails to support. Should these companies brought it up during the 1.0 process? Sure. But the fact that they are here now and are telling us what they need to make this work isn't a bad thing. > Right now there are probably 100s of developers who are good at their > job using the Ruby OAuth libraries. There are of course also lots of > others using various php libraries, the Python library etc. Most of > them do not and should not have to understand enough to go in and deal > with Yahoo's OAuth extensions just like that. > > Yes other providers have added little things, like Googles scope > parameter etc. But none of them so drastically change the flow as the > OAuth Session Extension does. > > Lots of people have tried dealing with Yahoo OAuth. I know of only one > company besides my client who is actually doing it with Ruby as it has > proven so difficult to support. > > Yes I should have followed the extensions list a bit more closely, but > I also think that Yahoo's engineers could have been a bit more > creative about a solution. Or at least spell out on your OAuth API > documentation that you are not following the normal OAuth flow. None of this leads to the conclusion that Yahoo! is hurting the spec or the community. PERIOD. Other companies should implement the extension if they find Yahoo!'s API worth the extra work. The entire argument that somehow this extension hurts anyone else (other than theoretically Yahoo! itself) is absurd. Yahoo! has not changed a single thing in the core spec, didn't come up with a new competing signature method, or told developers to do anything other than what the core spec does. A library written to work with Yahoo! will easily work with everyone else. It simply added the ability to issue short-lived tokens without requiring the end user to re-authorize access. Everything you raised amount to a rant about Yahoo! making you work harder. The only issue here is whether the extension is costing Yahoo! developers unwilling to do more work to use its API, but that has nothing to do with the community. > With regards to the work and money Yahoo has spent on promoting OAuth, > I applaud it, but remember that you are not the only ones who have > made a large investment in OAuth. I also don't understand how you can > support OAuth so fully on some levels, but not where it counts in your > implementation. I wasn't talking about Yahoo!'s investment to benefit itself. I was talking about its investment to benefit the community, and in that regard, very few other companies match up. > I would also like to extend a hand of gratitude to all the other > people who have contributed to this on their own dime. Like you did > originally. I like many others have spent 100s of hours promoting > OAuth and supporting it through the OAuth Gem and Plugin. I have made > it my personal goal for the OAuth ruby code to be as easy as possible > for people to use. I have easily spent over a 100 hours of time that > could have been billable on this, which is probably a considerably > larger percentage of my revenues than Yahoo's investment in OAuth. > > This is why I don't take it lightly when a large company like Yahoo > attempts to destroy all the hours of education, coding and help that > we as a community have put into getting people to adopt OAuth. This is > why I am upset. So I am sorry if Yahoo does not like what I say and if > it is negative. This is nothing but me saying enough is enough. > Support the standard as specified or label it as something else. > > Yahoo can do what they want, but I would encourage others implementers > to not support their extensions until they change their > implementation. Alternatively they could provide patches to the major > libraries to support their implementation in a transparent manner. > Transparent being key. We can discuss the technical details of the extension or how libraries should be architected in the future to better accommodate this and other extensions - I am actively doing that at the OAuth IETF working group and you are welcome to join us. We can discuss how legal frameworks could be made better and how to improve legal negotiation for community-based projects - I am actively doing that at the OWF and you are welcome to join us. You have completely failed to show how Yahoo!'s implementation hurts anyone. If your point was that this is bad for Yahoo! and hurt its API adoption, it would at least be a valid perspective of one developer. But turning your need to do some extra work into an attack on a company that does not merit or deserve it make this entire rant completely pointless and self serving. EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
