On Wed, Feb 24, 2021, at 17:26, Jim Manico wrote: > I think it’s important to point out that OAuth is not an authentication > protocol. It’s for delegation. OAuth is one of the most mis-used protocols on > the modern web. If you really want to support end users, a good place to > start is to make it clear to developers what OAuth is really for so secure > solutions are built as opposed to the dumpster fire that OAuth solutions have > become today.
https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does Which suggests that if the OAuth solutions deployed today are dumpster fires, then ... well, that's what OAuth 2 does. My biggest problem with OAuth as an outsider is that it doesn't solve the NxM problem. You can't build a client which can OAuth against any arbitrary OAuth service that provides a standard protocol, because you need to get an API key for your particular application from each service provider. This just doesn't scale, which is a large part of Phillip's complaint as well. Of course, I came into the IETF having already read https://web.archive.org/web/20120731155632/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ - which was one of the things which made me wary of the IETF in the first place, and keen to not let everything I touched get over-complicated. Bron. -- Bron Gondwana, CEO, Fastmail Pty Ltd br...@fastmailteam.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
