OAuth 2.0 editor resigns and takes name off spec
After working for three years as lead author and editor for OAuth 2.0, Eran Hammer has resigned from the role, left the working group and withdrawn his name from the specification, saying "OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it. It is the biggest professional disappointment of my career." Hammer explains in a blog post that "All the hard fought compromises ... resulted in a specification that fails to deliver its two main goals – security and interoperability."
In comparing OAuth 2.0 with 1.0, he points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure". Implemented by a developer well versed in web security could turn out a secure implementation, he says, but most developers are not so well versed in web security and experience shows they would not create a secure implementation.
He explains how architectural changes for 2.0 unbound tokens from clients, removed all signatures and cryptography at a protocol level and added expiring tokens because tokens couldn't be revoked while complicating the processing of authorisation. Numerous items were left unspecified or unlimited in the specification because "as has been the nature of this working group, no issue is too small to get stuck on or leave open for each implementation to decide".
Hammer points to a conflict between the web and enterprise cultures, citing the IETF as a community that is "all about enterprise use cases", that is "not capable of simple". What is now offered is a blueprint for an authorisation protocol, he says, and "that is the enterprise way", providing a "whole new frontier to sell consulting services and integration solutions". He believes that the web needs a simple well-defined protocol to improve security and increase interoperability. Taking an example of a major OAuth 2.0 implementation, Facebook's Open Graph is running draft 12 of the standard with no reason to upgrade because, Hammer believes, other OAuth 2.0 clients are unlikely to be able to interoperate usefully with it.
In closing, Hammer calls it "a sad conclusion to a once promising community" and recalls that OAuth was emblematic of small, quick useful standards produced outside standards bodies. "Bringing OAuth to the IETF was a huge mistake."