On Thu, 26 Jul 2012 06:13:52 -0700, Diederik van Liere dvanliere@gmail.com wrote:
Hi all,
The lead author of Oauth 2.0, Eran Hammer, has withdrawn his name from the OAuth 2 spec:
http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
That's a very sad news, IMHO, and it probably means we really should reconsider what protocol we want to support Oauth 1.0 / Oauth 2.0 / SAML or something else if we want to allow interoperability with our sites.
Best, Diederik
I thought OAuth 2 would have stayed dominant for a little while longer. But this just circles right back to something I've said from the start. We need to implement the Application registration, authorization/revocation handling, and spam tools in a completely abstract way that allows any protocol to be plugged in using an extension. ie: Everything that lets you revoke an App and see what app is responsible for an edit would be part of core. While the OAuth2 flow would be part of an OAuth2 extension.
This post actually feels almost like an invitation to re-read OAuth 1 (I read OAuth 2 in much more depth than OAuth 1). Look over all the advantages of each and come up with some real flows. And write a new protocol based of the best of each. Try to write a simple usable standard based off of that. And then ship MediaWiki with it hoping others will pick up on the same protocol. This kind of pushes me to want to write it myself. Though given my past, that won't go well unless I have people behind me supporting it.
Btw, before anyone decides to use some short-sighted argument in favor of OAuth 2 let's be clear about this. OAuth 2 is a protocol designed entirely for proprietary APIs like Facebook. We absolutely SHOULD NOT treat our goal as just a (proprietary) API for people to access Wikipedia. But aim for a protocol that would work cleanly for all MediaWiki installations.