November 26, 2009

Is There a Looming Battle Over OAuth's Successor?

The OAuth protocol, used on many popular Web sites and applications to pass your credentials between sites without requiring the entry of your user name and password, including Twitter, is potentially under pressure from a team of techies representing Microsoft, Google and Yahoo!, who have introduced a competing specification interpreted as being aimed to succeed OAuth, called Web Resource Authorization Protocol, or WRAP. Eran Hammer-Lahav, the Director of Standards Development at Yahoo!, who helped coordinate many OAuth contributions, and created a formal specification for the initial OAuth standard, recently panned the move, saying, "The road to hell is paved with good intentions," adding his own proposal for OAuth 2.0, which he hopes will better separate between authentication and authorization.

Today's OAuth standard is known to have its imperfections. Hammer-Lahav notes in his 2.0 proposal that OAuth is essentially "unusable" for mobile devices or installed apps, and also suggests that OAuth "does not adequately support large providers". But he says the move to create WRAP has confused developers' focus, and diverted resources, calling it "just one illustration of the demise of the OAuth community".

But his opinion, unsurprisingly, is not universally accepted. David Recordon of Facebook, also on the boards of the OpenID and Open Web Foundations, states in the comments of the post that Facebook is not supporting OAuth 1.0 as it is simply too heavy - requiring a massive increase in HTTP requests, also adding that other developers find OAuth "too difficult to correctly implement".

David followed on to his initial comments with a post to the IETF mailing list, which you can see here: Facebook, OAuth, and WRAP. In the note, he highlights the belief that the proposed WRAP alternative maps well to the company's current authentication process, adding WRAP simplifies the development community's learning curve.

The discussion, which is ongoing, may end up splintering development communities between sticking with the current version of OAuth 1.0, looking at WRAP as an alternative, or trying to support a new OAuth 2.0, as specified by Hammer-Lahav. But if you have wondered why Facebook Connect acts one way and Twitter OAuth acts another way, it's because they are different approaches entirely. If this discussion is any indication, one can expect there to be continued divergence, rather than a single way to deliver user authentication and authority between sites and applications in the future on the Web.

For another viewpoint on this broad topic, see Jesse Stay's post: The Future Has No Log In Button. Also, DeWitt Clinton of Google, on FriendFeed, says the open discussion "is good".