A Truckload of OAuth Issues That Would Make Any Author Quit 86
New submitter DeFender1031 writes "Several months ago, when Eran Hammer ragequit the OAuth project, many people thought he was simply being overly dramatic, given that he gave only vague indications of what went wrong. Since then, and despite that, many companies have been switching to OAuth, citing it as a 'superior form of secure authentication.' But a fresh and objective look at the protocol highlights the significant design flaws in the system and sheds some light on what might have led to its creator's departure."
Re:WTF was that? (Score:4, Interesting)
I think the key point of the article is the first part, the "APUI" section. OAuth is "fine" when used for authentication by a user for a service based on a web browser. However, it is increasingly being applied at the "API" level (where services and applications interact, not users). It doesn't work _at all_ at this level.
I agree that the enterprise level permissions bit is pushing things, but the rest of the article is spot on.
Re:Get out the duct tape (Score:2, Interesting)
Computers run on standards, there is no excuse for this.