Click here to show or hide the menubar.

Home >  Archive >  2010 >  January >  1

Previous / Next

OAuth is becoming a cautionary tale
By Dave Winer on Friday, January 01, 2010 at 10:44 AM.

If you want to get smart about open standards, you have to watch how these things play out in another open thing -- the market. Because it's the market that just as often shapes a standard as it is a standard that shapes the market. permalink

And to understand it, you have to understand the often-submerged motives of tech people who work at big companies. permalink

For example, why are there so many iconic representations for a feed? Is it because we didn't anticipate in advance that there would be a need for one? Hardly. It's because the big companies, when they came in, ignored prior art and created their own way to do it. Once there were two, why not have twenty-two? Of course that's exactly what happened. permalink

Last year (the one that just ended) it seemed that OAuth had finally gotten to a point where it was frozen. It was deploying in Twitter, and they were making sounds as if they would at sometime not too far down the road turn off the username-password way of authenticating users. So I rolled up my sleeves and implemented OAuth in the OPML Editor so my apps could use it. Turns out I was mistaken in believing that it was frozen, because, due to a security issue, they had to change OAuth, and I haven't revisited my code yet to adopt the change, so it doesn't work with the Twitter implementation of OAuth, which honestly, is the only one I care about.  permalink

A picture named ouija1.gifBut wait -- it's even worse than it appears (one of my favorite mottos, a persistent disclaimer for all things technical, an adjunct to Murphy's Law). Turns out the creators of OAuth have changed their mind and think it should be stripped to the metal and rebuilt around HTTPS. So not only do I have to throw out all the work I've done, but so does Twitter, and even better worse, my environment doesn't have glue for HTTPS so I'll have to get that together. When will all this happen? Heh. That's the rub. My guess is that, based on past experience with the tech biz, it'll never happen. The people pushing this stuff are young, they haven't been around the loop before. Doesn't matter. Big companies are like Ouija boards. The people don't control them, the psychology does. In the BigCo mindset it's always Day Zero, and the value of all the implementations so far is $0.  permalink

The entrepreneurs and the developing platforms are left with nothing to do. The old way of doing things is "deprecated" and the new way is a moving target, never finished, always subject to second-guessing. No one wins this game, but eventually a new thing comes along, and the problems of the last generation seem old.  permalink

If OAuth is to have a chance at being a foundation to build on, it would need founders who say to those who want to completely redefine it that they should do it in a new playground, and let OAuth develop without interference. That, unfortunately for OAuth, and the people who have already invested, is not happening. permalink

PS: The argument that OAuth is too hard to implement is moot. Imho, everyone who had to implement it had already implemented it. If I could get it working in a month in the OPML Editor, even though it was a grueling month, it may be hard, but it's not too hard. Moot. An excuse to rip up the pavement and delay deployment, it seems to me. permalink

Update: After writing this post I decided to look into what it would take to unbreak the OPML Editor's support for Twitter's OAuth implementation, and was able to fix it in about 45 minutes. I released the parts and documented it on the Frontier news website. permalink

RSS feed for Scripting News
This site contributes to the community river.

© Copyright 1997-2012 Dave Winer. Last update: Wednesday, June 09, 2010 at 2:14 AM Eastern. Last build: 8/26/2012; 5:36:11 PM. "It's even worse than it appears."

RSS feed for Scripting News

Previous / Next