File Under: Security, Web Services

Developer Quits OAuth 2.0 Spec, Calls It ‘a Bad Protocol’

After three years as lead author and editor of the OAuth 2.0 specification, Eran Hammer has stepped down from his role, withdrawn his name from the spec and even quit the OAuth working group completely, frustrated with what he now calls “a bad protocol.”

OAuth 2.0 is a rewrite of the original OAuth spec, which offers a secure way to sidestep the dilemma of having to hand over passwords to third party sites and apps to access user data. Google, Facebook, Twitter, and Yahoo are among the high-profile sites that have embraced OAuth in some fashion.

Unfortunately, according to Hammer those same big names are at least partly responsible for making OAuth 2.0 the fiendishly complex and convoluted spec that it has become. Hammer is not the first to question the usefulness of OAuth 2.0. In fact, we’ve previously argued that OAuth 2.0′s complexity is hurting the spirit of API experimentation on the web.

Hammer isn’t just questioning OAuth 2.0, he’s abandoned it entirely and completely erased himself from the project, calling it “a bad protocol… bad enough that I no longer want to be associated with it.”

In Hammer’s view OAuth 2.0 is “more complex, less interoperable, less useful, more incomplete, and most importantly, less secure” than its 1.0 cousin.

The problem according to Hammer are the “enterprise” edge cases which do nothing for the vast majority of developers other than make OAuth 2.0 more complex. As Hammer writes, “that is the enterprise way. The WS-* way. 2.0 provides a whole new frontier to sell consulting services and integration solutions.”

So what should you do? Well, as RSS developer Dave Winer says, “OAuth 1 is fine.” Indeed, OAuth 1.0 works and it’s much more accessible for smaller development teams — you don’t need Google’s engineering team to turn out a secure implementation of OAuth 1.0. Hammer has similar advice, writing, “if you are currently using 1.0 successfully, ignore 2.0. It offers no real value over 1.0.”

Of course the departure of an editor doesn’t mean OAuth 2.0 is going away. It remains, like many other standards, under the auspices of the Internet Engineering Task Force (IETF), which also oversees protocols like SMTP and TCP/IP.