

On the Deadness of OAuth 2 - zdw
http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead

======
martinsievers
Wow, is it just me or is there a whole lot of passive aggressiveness in this
post?

Anyway, to address the post, yes we do know that Google have implemented most
of OAuth 2.0, but in reality not everyone is happy to use Google of various
reasons.

There are plenty of people and organizations have to implement OAuth 2.0
server-side and wade through messy specification where half of it may be
irrelevant.

~~~
refulgentis
A ridiculous amount. I'm an outsider to all this (iOS developer with a healthy
interest in technology), and the constant pejorative adjectives directed at
Hammer combined with the odd directions to the reader to "find (strong options
re: Hammer) on the Net" and the horrible word insertion in Hammer's mouth
that's Hammer's "pissed at everyone"...combine to make this post seem like it
has a lot more sizzle than steak.

"First Take-Away" is devoted to "hay, Google implemented OAuth 2". That, as
far as I understand it, is hot air because it doesn't obviate Hammer's
original contention that OAuth 2 was impossible to implement without experts
driving your implementation.

"Interop?" is devoted to him throwing out a wildly idealistic idea,
immediately followed up by him noting that he has no idea if it's possible.

"Enterprisey" notes that he doesn't understand the enterprise requirements,
understanding enterprise requirements requires expert-level domain knowledge
(again, bolstering Hammer's point) and boy, those enterprise people sure are
crazy!

"Standards-Making" opens by trying to use clever wordplay that has the effect
of making Hammer seems small for being "pissed at everyone", and an
unwarranted defense of standardization proposals aimed at those commenting on
the fact the the head of a standardization proposal said standardization
proposals are broken.

The most confusing part of this to me is that Bray wrote an article
([http://www.tbray.org/ongoing/When/201x/2012/06/29/Becoming-a...](http://www.tbray.org/ongoing/When/201x/2012/06/29/Becoming-
an-Identity-guy)) _less than one month ago_ noting that "The new tech­nol­ogy
com­ing down the pipe, OAuth 2 and friends, is way too hard for de­vel­op­ers;
there need to be bet­ter tools and ser­vices if we’re going to make this whole
In­ter­net thing smoother and safer." Yet, somehow he feels that Hammer's
opinion is divergent enough from what he said to be worthy of a long
sanctimonious, vacuous, article.

I don't understand why Tim Bray is respected by the tech community, and after
two years of following tech news and giving him the benefit of the doubt, I'm
not going to bother anymore. He seems perfectly intelligent, but his tendency
online of having overwrought reactions that conflict with prior overwrought
reactions he had make it difficult for me to consider him anything but a
bloviator.

~~~
nl
I don't get that at all.

I think the OAuth 2.0 story _is_ complicated, support _is_ mixed and Bray's
post acknowledges that.

------
beaker52
OAuth 2 does a job, it works - it's not broken. It's widely implemented by the
major players in the web space (Google, Facebook, Microsoft, Yahoo). It's
being used by those companies (and many, many others) without their systems
being compromised because of it. It's business as usual.

As engineers of the world wide web (and it's future), it's our responsibility
to avoid the toys being thrown out of other's prams (strollers) from time to
time.

------
firlefans
My worry is that in the interim period between this and an improved auth
protocol we all agree on, devs will continue to just roll their own (much less
well conceived) authentication protocols. Surely Bray's response has merit,
and is more mature, this thing isn't perfect but it powers probably more
logins than anything else on the web. Let's finish and standardise the 2.0
standard before moving on.

------
shock3naw
"Removing my name from a document I have painstakingly labored over for three
years and over two dozen drafts was not easy. Deciding to move on from an
effort I have led for over five years was agonizing."

I feel like it's a safe investment to avoid anything that can bring about a
decision that drastic.

~~~
benatkin
Well, participating in the OAuth 2.0 committee is what brought about that
decision, not OAuth 2.0 itself. In fact Eran has a suggestion in that post
under the "To Upgrade or Not to Upgrade" heading: look at what Facebook does
and do that.

~~~
wccrawford
Yes, but in the end, he's saying that he'd rather remove 5 years of his life
from his resume than have his name on the monstrosity that _that_ committee
will be releasing.

So back to the parent's post, why wouldn't you be wary of something that came
from that situation if one of the primary creators doesn't even want his name
involved with it?

