OAuth 1 is fine
By
Dave Winer on Thursday, July 26, 2012 at 8:22 AM.
 If you haven't read OAuth 2.0 and the Road to Hell, stop everything now and go read it. The author, Eran Hammer, compares the OAuth 2.0 process to the WS-* process which was my own personal hell for a few years.  Obviously OAuth 1 and XML-RPC are comparable. I have implemented both. I think XML-RPC is simpler, but both specs can be implemented by a single person in a few days. With XML-RPC you got a lot of interop for that work. I've only tried my OAuth implementation with a small number of providers, but it generally works pretty well.
Then came SOAP. Where interop was very unlikely without profiles. It would be like throwing a penny out the window in Manhattan and hitting a fire hydrant in Queens. Yeah sure if the wind is blowing right you might hit the Queens hydrant. But it's not really very likely. And that was the point of SOAP. Enterprise developers could say they were conforming to the spec without all that messy interop. Sun and IBM were the two main culprits there, although I'm pretty sure Microsoft had people in the process who liked incompatibility. And once that ball was rolling, all kinds of assholes piled on. What started out as a beautiful idea and simple protocol turned into such a prolific nightmare that to this day people cite it as the canonical disaster of a standards body run wild.
Believe it or not there are people who see interop as a bad thing. It interferes with their business model, which is getting dumb customers to pay them big bucks to deliver the interop that the simple specs deliver for free.
I thought OAuth 2 was a bad idea when I heard about it. I thought it was even worse that they were calling it OAuth 2, because that would hurt OAuth 1. I had a stake in it because I had already implemented OAuth 1. Pretty sure I said something about it, but I got a pat on the head saying "You don't understand, this is going to be just like OAuth 1 but much better." Uh huh. Where have I heard that before? 
So now that community has to try to put it back together. Obvious leadership could come from Facebook, which as far as I can see, drove the move to 2.0. Seems it would be fair for them to also implement OAuth 1 now, and let's do some interop testing to make sure it works with Twitter's implementation. Then everyone else will have a solid base to shoot for. And an end to the confusion about what the future holds. Let's forget about OAuth 2.0. Let the IETF have it. Pop the stack and let's move on.
I'm saying this as an outsider, with no knowledge of the politics, which I'm sure is quite intense. I don't care. We do need a standard here, and it seems to me there is one. OAuth 1.0. If I had a vote I'd go with what Twitter implemented.
BTW, I wish Yahoo had stood their ground and said that the Flickr implementation, which all this stuff is patterened after, was "good enough" and everyone should just STFU and interop with that. I had an implementation of that protocol many years before all this michegas happened. It still works.
|
|
