OAuth 2.0 protocol author Eran Hammer-Lahav is resigning from the project, and he doesn’t mince words about why. “This is a case of death by a thousand cuts, and as the work was winding down, I’ve found myself reflecting more and more on what we actually accomplished,” he wrote in a blog post yesterday. “At the end, I reached the conclusion that OAuth 2.0 is a bad protocol… It is bad enough that I no longer want to be associated with it. It is the biggest disappointment of my career.”
OAuth 2.0, introduced in May of 2010, is the latest iteration of OAuth, the open standard that allows sites to communicate and share user content from their respective platforms given users’ permission. It’s the tool that, for example, gives a third party the ability to post content to Twitter or Facebook. It’s been operating since 2007, and it’s been a critical piece of the social networking data landscape since.
And now it appears the evolution of the protocol is broken. Hammer-Lahav says in comparison with OAuth 1.0, 2.0 is “more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.” He mentions that while advanced developers won’t have an issue with security, the vast majority are likely to experience problems. Hammer-Lahav goes as far as to say that if you’re successfully operating with version 1.0, then don’t upgrade.
He predicts that the community around OAuth will continue to dissolve and be replaced by new platforms more closely aligned with what the original protocol was trying to do, and that these will be where developers start to turn. Turning to IETF, the Internet Engineering Task Force, meant OAuth become more beholdened to enterprise companies, and that this killed the innovation and flexibility of OAuth’s original engineering community.
The harsh words and gloomy projections should pique outside developer interest in creating something more agile – something that could be adopted en masse by the various platforms interested in permission systems for data sharing. Which is, as you can assume, a very high number.
- Facebook was always too busy selling ads to care about your personal data
- Is there horse in your hamburger? How blockchain could fight food fraud
- Cambridge Analytica’s ex-director wants to fix data privacy. Can we trust her?
- 9 things to know about Facebook privacy and Cambridge Analytica
- How Instagram’s being used to make the outdoors more inclusive and diverse