Wow, is it just me or is there a whole lot of passive aggressiveness in this post?
Anyway, to address the post, yes we do know that Google have implemented most of OAuth 2.0, but in reality not everyone is happy to use Google of various reasons.
There are plenty of people and organizations have to implement OAuth 2.0 server-side and wade through messy specification where half of it may be irrelevant.
A ridiculous amount. I'm an outsider to all this (iOS developer with a healthy interest in technology), and the constant pejorative adjectives directed at Hammer combined with the odd directions to the reader to "find (strong options re: Hammer) on the Net" and the horrible word insertion in Hammer's mouth that's Hammer's "pissed at everyone"...combine to make this post seem like it has a lot more sizzle than steak.
"First Take-Away" is devoted to "hay, Google implemented OAuth 2". That, as far as I understand it, is hot air because it doesn't obviate Hammer's original contention that OAuth 2 was impossible to implement without experts driving your implementation.
"Interop?" is devoted to him throwing out a wildly idealistic idea, immediately followed up by him noting that he has no idea if it's possible.
"Enterprisey" notes that he doesn't understand the enterprise requirements, understanding enterprise requirements requires expert-level domain knowledge (again, bolstering Hammer's point) and boy, those enterprise people sure are crazy!
"Standards-Making" opens by trying to use clever wordplay that has the effect of making Hammer seems small for being "pissed at everyone", and an unwarranted defense of standardization proposals aimed at those commenting on the fact the the head of a standardization proposal said standardization proposals are broken.
The most confusing part of this to me is that Bray wrote an article (http://www.tbray.org/ongoing/When/201x/2012/06/29/Becoming-a...) less than one month ago noting that "The new technology coming down the pipe, OAuth 2 and friends, is way too hard for developers; there need to be better tools and services if we’re going to make this whole Internet thing smoother and safer." Yet, somehow he feels that Hammer's opinion is divergent enough from what he said to be worthy of a long sanctimonious, vacuous, article.
I don't understand why Tim Bray is respected by the tech community, and after two years of following tech news and giving him the benefit of the doubt, I'm not going to bother anymore. He seems perfectly intelligent, but his tendency online of having overwrought reactions that conflict with prior overwrought reactions he had make it difficult for me to consider him anything but a bloviator.
I didn't catch that he was frustrated about OAuth 2 being way too hard for developers. Maybe he thinks Hammer should be content with developers having to use libraries they don't understand.
> but in reality not everyone is happy to use Google of various reasons.
I don't think he is saying 'just use Google'. He is saying that Google's wide-spread adoption of OAuth 2.0 is existence proof that the technology itself works.
> plenty of people and organizations have to implement OAuth 2.0 server-side and wade through messy specification where half of it may be irrelevant
Hence this bit: "It’s done. Stick a fork in it. Ship the RFCs." It is entirely possible that the 'working' bits of the spec will be distilled out as RFCs which should make implementation easier.
OAuth 2 does a job, it works - it's not broken. It's widely implemented by the major players in the web space (Google, Facebook, Microsoft, Yahoo). It's being used by those companies (and many, many others) without their systems being compromised because of it. It's business as usual.
As engineers of the world wide web (and it's future), it's our responsibility to avoid the toys being thrown out of other's prams (strollers) from time to time.
My worry is that in the interim period between this and an improved auth protocol we all agree on, devs will continue to just roll their own (much less well conceived) authentication protocols.
Surely Bray's response has merit, and is more mature, this thing isn't perfect but it powers probably more logins than anything else on the web. Let's finish and standardise the 2.0 standard before moving on.
"Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing."
I feel like it's a safe investment to avoid anything that can bring about a decision that drastic.
Well, participating in the OAuth 2.0 committee is what brought about that decision, not OAuth 2.0 itself. In fact Eran has a suggestion in that post under the "To Upgrade or Not to Upgrade" heading: look at what Facebook does and do that.
Yes, but in the end, he's saying that he'd rather remove 5 years of his life from his resume than have his name on the monstrosity that that committee will be releasing.
So back to the parent's post, why wouldn't you be wary of something that came from that situation if one of the primary creators doesn't even want his name involved with it?
I don't see the connection. Should we avoid every open source project that was abandoned by one of its leaders? I think each spec/project should be evaluated according to its own merits rather than summarily judged based upon actions of certain associated parties.
I highly doubt that most spec/project leaders abandon their projects because they consider it a 'professional disappointment.' I can't think of any such projects off the top of my head. On the contrary, I imagine that many feel that they have little left to contribute and want a fresher pair of hands to guide it forwards.
Everything 'should' be judged on its own merits, but humans have a tendency to make snap judgements. We make them everyday when we see someone we've never met, or are introduced to someone new. To be fair, my statement was based on my personal opinion and feelings after reading Eran's piece. Perhaps OAuth 2 really is going to take off, but I can't imagine how terrible something would have to be to give up 3-5 years of my life's work.
edit: To be clear, I should acknowledge that sometimes snap judgements are wrong. Sometimes they are right. But when we make them, we save ourselves the burden of exhaustively investigating _every_ possible technology, or that everyone might be a great person and friend. Eran's post was enough to convince me that I should stay away from OAuth 2 until convinced otherwise.
Anyway, to address the post, yes we do know that Google have implemented most of OAuth 2.0, but in reality not everyone is happy to use Google of various reasons.
There are plenty of people and organizations have to implement OAuth 2.0 server-side and wade through messy specification where half of it may be irrelevant.