On Fri, Mar 22, 2013 at 8:59 AM, Yuri Astrakhan yastrakhan@wikimedia.org wrote:
There was a discussion recently about OAuth, and I just saw this blog posthttp://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html (posted on slashdothttp://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit) with some heavy criticisms. I am not an expert in OAuth and do not yet have a pro/against position, this is more of an FYI for those interested.
OAuth has ... plenty of issues ... ;) but it has its place.
That place is *specifically* in authorizing third-party web applications to get partial access on behalf of a user without getting unfettered access to their credentials -- something that should be useful for wiki-related tools such as on Toolserver and Labs, or on other third-party hosting.
It shouldn't be used for mobile or desktop apps. It can't replace CentralAuth. It can't replace login. It can't replace OpenID. And it shouldn't be shoved into any of those things where it won't fit. :)
-- brion