Oh yay, I actually convinced someone.
This post is a little different than mine. A random spattering of
high-level qualms with it. OAuth 2 not being a protocol. Flow issues
(though a little debatable). And some stuff about "enterprise" that
besides being irrelevant to us sounds like berating the taste of an apple
cause it doesn't taste like an orange.
For reference this was my overview of the issues with both the OAuth 1 and
OAuth 2 standards:
https://www.mediawiki.org/wiki/OAuth/Issues
I didn't get round to an actual specification. But in the interest of
writing one, awhile ago I did go over every user flow I could think of an
auth system having, made notes and comments on each of them, then decided
what ones should be rejected.
https://github.com/dantman/protoauth-spec/blob/master/auth-flows.md
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
On Fri, 22 Mar 2013 09:11:06 -0700, Tyler Romeo <tylerromeo(a)gmail.com>
wrote:
Most of those concerns are valid. Daniel Friesnen has
managed to convince
me that OAuth is absolutely horrible, and that we will probably have to
make our own authentication framework.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan
<yastrakhan(a)wikimedia.org>wrote;wrote:
> There was a discussion recently about OAuth, and I just saw this blog
> post<
>
http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-ap…
> >
> (posted
> on slashdot<
>
http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues…
> >)
> with some heavy criticisms. I am not an expert in OAuth and do not yet
> have
> a pro/against position, this is more of an FYI for those interested.
>
> --yurik