The Internet Engineering Task Force’s Vancouver meeting didn’t exactly have reporters scrambling for their notebooks, but the news that came out of the six-day event that ended Friday has had bloggers clacking keys across the web.
The specs for OAuth 2.0, the protocol for token-based authentication that has gained wide acceptance among web developers, were being debated at the conference and the direction of that debate agitated the protocol’s original author, Eran Hammer, to the point where he stormed out. The colorful language he used to describe the process belied the mundaneness of the standardization process.
Hammer took issue with the direction OAuth 2.0 was taking, saying it was on “the road to Hell.” While he went biblical, others affected by the process took a more measured approach.
Scott Morrison pegged Hammer’s pains as being a classic example of the founder’s problem. The CTO of Vancouver-based API management company Layer7, Morrison praised Hammer for his problem-solving with OAuth 1.0, but added that other people were bound to come into the process and expand it.
“Because it suddenly became so important and people realized it could be much more than the original vision, it moved up into the sort of old-style formalization,” Morrison said. “That’s a huge change, that’s a cultural change and I think that’s where the problem really came about.”
Morrison describes the changing world of standardization and the influence of grassroots developers on it. He said OAuth was the best example of developers getting together and solving a problem independent of vendors, analysts and standards groups.
Not all the pains are cultural. Among the critical changes in OAuth 2.0 is a switch from digital signatures to secure sockets layer (SSLs) in securing tokens. Morrison believes that the change was made because SSL is much simpler and is the standard for securing things like credit card transactions, something that would be familiar to developer’s with a more basic skill set.
“In some respects, it’s maybe not as pure or perfect a solution as using digital signatures, but it gets you there in the end,” Morrison said.
While it may not be as perfect, Morrison believes that SSL will ultimately lead to better security because it is simpler. He said the risk of developer mistakes in more complicated security procedures is higher than any problems with SSL.
Morrison still thinks there’s value in OAuth 2.0 and that developers using it aren’t on a path to damnation. But, he would like to see a simpler specification put out so that everyone can move forward.
“My head starts to spin when I start to read the OAuth 2.0 specs,” he said. “It’s up to all of us in the community to communicate what it’s about and build the infrastructure around it to make it easier to use.”