Hacker News new | past | comments | ask | show | jobs | submit login
OAuth2.a or Let's Just Fix It (homakov.blogspot.com)
37 points by homakov on Aug 1, 2012 | hide | past | favorite | 15 comments

If a sizable part of the community can agree and come up with a better OAuth 2, then by all means possible, implement it! Shipping code wins, always.

I'm admittedly unable to assess the situation, but from what I gather from people who can, there will be N implementations of OAuth 2.x anyway, all non-interoperable. One may just as well literally fork the standard, fix it, implement the fixed spec and release that. If it ends up more useful than both OAuth 1.0 and OAuth 2.0 then people will hopefully use it. If not, we'll have a broken standard anyway.

This is true! We need to work on solution and not on forks with solutions.

but 1 thing about oauth2. It's damn small and easy. There is nothing to "fork" in it. This is why we need to fix 2 vulns(from my post) and make it slightly more interoperable.

This might be a good opportunity for a kickstarter campaign for an open source project. Rewards? No more (or at least, less) frustration for all.

but how asking oauth guys to fix something can be a project? do you propose to fork oauth?

I don't know how oauth is funded currently: if someone can't be found to oversee fixing issues that is holding everyone hostage to a difficult spec then a fork maybe necessary, yes.

Ok I am in. Let's implement the above, (as a spec it beats many I have known!) run it past a lot of security reviews and let market decide

@homakov - will you host bare repo on github? (possibly you are and I missed that bit)

I can make a repo for this. ping me - contacts on my blog and we will figure out

I'd like to like Oauth but its rise has made some use-cases very difficult or impossible. We write automated scripting (to display data feeds) where no human is involved, and oauth has cut off access of many of the big sites. Twitter is one of the few that leaves us a backdoor, but who knows how long it will last.

We are working around oauth, but the user experience for someone trying to use our scripts is horrible, a multistep process that requires a technical person (too much for some of our customers).

Google, LinkedIn, Twitter, Facebook, Yahoo! - this only stands a chance if you get them all to partake in this discussion and work towards a single implementation that works against all of their platforms.

Otherwise, these discussions are pointless.

Aw, c'mon! If you worry about getting the elephants to agree, you'll get stuck in committee adding enterprise cruft. You can move forward without them.

You can build protocols with your fellow smaller companies that have a pressing need to make something work with you, as I believe was the case with OAuth itself (Magnolia and Twitter) and OpenID (I believe LiveJournal and DeadJournal).

If it's good and people are using it well, and you talk about it openly and involve others, it can create its own momentum and become a standard. If not, well, whatever. At least you've moved your own business forward with your partners.

1. google twitter and facebook - would be enough for me. 2. when we talk about security things I hope it will be fixed anyway. I hope.

I really don't get what is so "tedious" with OAuth 1.0a and encryption? It's so simple it's almost ridiculous...

when you compare it with oauth2 you can see the difference

That is not an answer to his question.

some people have problem with encryption. it doesn't matter how easy it might be for you, some people will have a hard time.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact