If a sizable part of the community can agree and come up with a better OAuth 2, then by all means possible, implement it! Shipping code wins, always.
I'm admittedly unable to assess the situation, but from what I gather from people who can, there will be N implementations of OAuth 2.x anyway, all non-interoperable. One may just as well literally fork the standard, fix it, implement the fixed spec and release that. If it ends up more useful than both OAuth 1.0 and OAuth 2.0 then people will hopefully use it. If not, we'll have a broken standard anyway.
This is true! We need to work on solution and not on forks with solutions.
but 1 thing about oauth2. It's damn small and easy. There is nothing to "fork" in it. This is why we need to fix 2 vulns(from my post) and make it slightly more interoperable.
I don't know how oauth is funded currently: if someone can't be found to oversee fixing issues that is holding everyone hostage to a difficult spec then a fork maybe necessary, yes.
I'd like to like Oauth but its rise has made some use-cases very difficult or impossible. We write automated scripting (to display data feeds) where no human is involved, and oauth has cut off access of many of the big sites. Twitter is one of the few that leaves us a backdoor, but who knows how long it will last.
We are working around oauth, but the user experience for someone trying to use our scripts is horrible, a multistep process that requires a technical person (too much for some of our customers).
Google, LinkedIn, Twitter, Facebook, Yahoo! - this only stands a chance if you get them all to partake in this discussion and work towards a single implementation that works against all of their platforms.
Aw, c'mon! If you worry about getting the elephants to agree, you'll get stuck in committee adding enterprise cruft. You can move forward without them.
You can build protocols with your fellow smaller companies that have a pressing need to make something work with you, as I believe was the case with OAuth itself (Magnolia and Twitter) and OpenID (I believe LiveJournal and DeadJournal).
If it's good and people are using it well, and you talk about it openly and involve others, it can create its own momentum and become a standard. If not, well, whatever. At least you've moved your own business forward with your partners.
I'm admittedly unable to assess the situation, but from what I gather from people who can, there will be N implementations of OAuth 2.x anyway, all non-interoperable. One may just as well literally fork the standard, fix it, implement the fixed spec and release that. If it ends up more useful than both OAuth 1.0 and OAuth 2.0 then people will hopefully use it. If not, we'll have a broken standard anyway.