OAuth 2.0 leader resigns, says standard is 'bad'
The standard grew too far away from its roots as a simple Web authentication technology, author Eran Hammer-Lahav says, and now is insecure and overly broad.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
OAuth 2.0 promised to improve authentication on the Net, but its author has resigned from the project after concluding the standard "is a bad protocol."
"When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure," Eran Hammer-Lahav said in a blog post yesterday. "I resigned my role as lead author and editor, [withdrew] my name from the specification, and left the working group...Deciding to move on from an effort I have led for over five years was agonizing."
OAuth is designed to let one Web site or software service grant limited access to another, a process that simplifies some of the ever-growing hassles of usernames and passwords. For example, OAuth gives a way for a third-party app to get permission from Flickr to post photos to a Flickr user's account. Hammer-Lahav has likened it to giving somebody a limited-privilege valet key rather than the full-privilege key that can unlock everything in a person's car.
OAuth 2.0 was supposed to improve on version 1.0, released in 2007, and it was supposed to be finished by the end of 2010, Hamer Lahav said when introducing OAuth 2.0. It's now reached the eve of completion, but OAuth 2.0's standardization at the Internet Engineering Task Force (IETF) fell prey to the priorities of enterprise technology companies, he said.
"At the core of the problem is the strong and unbridgeable conflict between the Web and the enterprise worlds. The OAuth working group at the IETF started with strong web presence. But as the work dragged on (and on) past its first year, those Web folks left along with every member of the original 1.0 community. The group that was left was largely all enterprise... and me," he said. "The resulting specification is a designed-by-committee patchwork of compromises that serves mostly the enterprise."
He's not the only one with concerns.
"The new technology coming down the pipe, OAuth 2 and friends, is way too hard for developers; there need to be better tools and services if we're going to make this whole Internet thing smoother and safer," said Tim Bray, announcing his new role at Google working on online identity issues. Bray has a lot of cred: he helped create XML before running a lot of Android developer relations.
And Ian Hickson, editor of the HTML "living standard" (but no longer the W3C's HTML5 "snapshot" of that standard) also expressed concerns about the IETF's ways.
"I wish you had had that experience before you convinced me to let the IETF get their hands on WebSocket," Hickson said in a comment to Hammer-Lahav's post, referring to a technology that enables fast communication between Web browsers and Web servers. "Same thing happened there, I ended up getting my name removed from that spec too. What a disaster."