
OAuth2.a or Let's Just Fix It - homakov
http://homakov.blogspot.com/2012/08/saferweb-oauth2a-or-lets-just-fix-it.html
======
lloeki
If a sizable part of the community can agree and come up with a better OAuth
2, then by all means possible, _implement it_! Shipping code wins, always.

I'm admittedly unable to assess the situation, but from what I gather from
people who can, there will be N implementations of OAuth 2.x anyway, all non-
interoperable. One may just as well literally fork the standard, fix it,
implement the fixed spec and release that. If it ends up more useful than both
OAuth 1.0 and OAuth 2.0 then people will hopefully use it. If not, we'll have
a broken standard anyway.

~~~
homakov
This is true! We need to work on solution and not on forks with solutions.

but 1 thing about oauth2. It's damn small and easy. There is nothing to "fork"
in it. This is why we need to fix 2 vulns(from my post) and make it slightly
more interoperable.

------
marquis
This might be a good opportunity for a kickstarter campaign for an open source
project. Rewards? No more (or at least, less) frustration for all.

~~~
homakov
but how asking oauth guys to fix something can be a project? do you propose to
fork oauth?

~~~
marquis
I don't know how oauth is funded currently: if someone can't be found to
oversee fixing issues that is holding everyone hostage to a difficult spec
then a fork maybe necessary, yes.

------
lifeisstillgood
Ok I am in. Let's implement the above, (as a spec it beats many I have known!)
run it past a lot of security reviews and let market decide

@homakov - will you host bare repo on github? (possibly you are and I missed
that bit)

~~~
homakov
I can make a repo for this. ping me - contacts on my blog and we will figure
out

------
cutie
I'd like to like Oauth but its rise has made some use-cases very difficult or
impossible. We write automated scripting (to display data feeds) where no
human is involved, and oauth has cut off access of many of the big sites.
Twitter is one of the few that leaves us a backdoor, but who knows how long it
will last.

We are working around oauth, but the user experience for someone trying to use
our scripts is horrible, a multistep process that requires a technical person
(too much for some of our customers).

------
ecaron
Google, LinkedIn, Twitter, Facebook, Yahoo! - this only stands a chance if you
get them all to partake in this discussion and work towards a single
implementation that works against all of their platforms.

Otherwise, these discussions are pointless.

~~~
sunir
Aw, c'mon! If you worry about getting the elephants to agree, you'll get stuck
in committee adding enterprise cruft. You can move forward without them.

You can build protocols with your fellow smaller companies that have a
pressing need to make something work with you, as I believe was the case with
OAuth itself (Magnolia and Twitter) and OpenID (I believe LiveJournal and
DeadJournal).

If it's good and people are using it well, and you talk about it openly and
involve others, it can create its own momentum and become a standard. If not,
well, whatever. At least you've moved your own business forward with your
partners.

------
ivarkotnik
I really don't get what is so "tedious" with OAuth 1.0a and encryption? It's
so simple it's almost ridiculous...

~~~
homakov
when you compare it with oauth2 you can see the difference

~~~
sunir
That is not an answer to his question.

