Painless OAuth @claylo #w2e

Painless OAuth: Adopting OAuth without the night sweats

Clay Loveless – @claylo
Mashery

There really is no painless way to get OAuth done but is part of security

The clarity of OAuth as a choice
It isn't as clear as it may have been several months ago

The need to support the OAuth standar is a reality today
Is it really a standard? Which version? Twitter and FB are using a modified version

The greater the need for a standard approach to delegating authenticated interactions
Perhaps it isn't such a good idea

API Providers -> OAuth Creators -> Developers (cycle)
Too many players in the spec, providers push off standards to the spec, Devs see OAuth creating more problems than it solves
Small group of people that are happy
Huge group that don't care (FB, Twitter, Amazon, Flickr)

Is one standard the best way to approach the problem?
Perhaps the concept of OAuth as a final destination needs to end

What's the next step?
XAuth is limited access protocol but requires an approval process swaps out the u/p for tokens
It adds a layer of security or at least a review process to help prevent exploits
Think for "ourselves" and review the pros/cons of what is offered
The problem OAuth is trying to solve isn't much of a problem any longer

Questions
What are the alternatives to OAuth?
XAuth is interesting because it provides some vetting to the process.
The Netflix example uses an added layer of security. It isn't as easy but works.

Is OAuth a bad design or execution?
There might be some parts of the spec that work but would like to see it switch from a standard to a series of patterns. Best practices would be great for mobile, web apps, etc.

What about OpenID? 
It is too hard and most users don't have a clue what it is. It suffers from the same challenges and companies are walking away from it.

Is Single Sign-on a worthy problem to chase?
It is for the companies that are chasing it. There are workflow challenges to their solutions. There will be changes in those organizations over time too.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s