Does OAuth’s Complexity Alienate Small Apps?
OAuth is a great way to sidestep the dilemma of having to hand over passwords to third party sites and apps to access user data. This is the primary reason the authentication method is fast becoming a de riguer part of today’s social APIs. But, while OAuth solves one problem, it creates another — it greatly raises the complexity of simple apps.
OAuth assumes a particular use case — you are using a third party service that wants to access your data on some other service. Rather than handing over your username and password, OAuth has you log in to, for example, Twitter and then authorize, for example, Twitterific to access your data.
Where OAuth adds complexity is in the small developer use case, where “your app” and the user of your app are in fact just you — for example, a simple script that lives on your server, grabbing your Twitter stream and storing it on your own server. It’s much, much more difficult to hack up such a script using OAuth than it is with simple password authentication. The barrier to experimentation is astronomically higher with OAuth than with basic authentication.
As Microsoft’s Jon Udell points out on the O’Reilly Radar blog, this tradeoff — protected passwords at the expense of making development more complex — means that hacking together an quick experiment is now much more difficult.
Protecting passwords is good, and no one is arguing otherwise. But where OAuth fails is focusing on the application accessing data at the expense of the individual experimenting with their own data.
In the end, OAuth 2.0 may help ease that pain by offering a cryptography-free option for authentication that doesn’t require half a dozen redirects to get your own data. OAuth 2.0 is already being implemented by Facebook and Twitter, but it isn’t widely implemented on other sites, and it’s still a moving target — as evidenced by initiatives like OpenID Connect and step2, which extend OAuth by adding in elements from OpenID. In the mean time, hacking together a script to access Twitter or other popular OAuth-based APIs is no longer just a matter of quick, late night inspiration.