Painless OAuth: Adopting OAuth without the night sweats
Clay Loveless – @claylo
There really is no painless way to get OAuth done but is part of security
The clarity of OAuth as a choice
It isn't as clear as it may have been several months ago
The need to support the OAuth standar is a reality today
Is it really a standard? Which version? Twitter and FB are using a modified version
The greater the need for a standard approach to delegating authenticated interactions
Perhaps it isn't such a good idea
API Providers -> OAuth Creators -> Developers (cycle)
Too many players in the spec, providers push off standards to the spec, Devs see OAuth creating more problems than it solves
Small group of people that are happy
Huge group that don't care (FB, Twitter, Amazon, Flickr)
Is one standard the best way to approach the problem?
Perhaps the concept of OAuth as a final destination needs to end
What's the next step?
XAuth is limited access protocol but requires an approval process swaps out the u/p for tokens
It adds a layer of security or at least a review process to help prevent exploits
Think for "ourselves" and review the pros/cons of what is offered
The problem OAuth is trying to solve isn't much of a problem any longer
What are the alternatives to OAuth?
XAuth is interesting because it provides some vetting to the process.
The Netflix example uses an added layer of security. It isn't as easy but works.
Is OAuth a bad design or execution?
There might be some parts of the spec that work but would like to see it switch from a standard to a series of patterns. Best practices would be great for mobile, web apps, etc.
What about OpenID?
It is too hard and most users don't have a clue what it is. It suffers from the same challenges and companies are walking away from it.
Is Single Sign-on a worthy problem to chase?
It is for the companies that are chasing it. There are workflow challenges to their solutions. There will be changes in those organizations over time too.