If you haven't read OAuth 2.0 and the Road to Hell, stop everything now and go read it. The author, Eran Hammer, compares the OAuth 2.0 process to the WS-* process which was my own personal hell for a few years.
Obviously OAuth 1 and XML-RPC are comparable. I have implemented both. I think XML-RPC is simpler, but both specs can be implemented by a single person in a few days. With XML-RPC you got a lot of interop for that work. I've only tried my OAuth implementation with a small number of providers, but it generally works pretty well.
Then came SOAP. Where interop was very unlikely without profiles. It would be like throwing a penny out the window in Manhattan and hitting a fire hydrant in Queens. Yeah sure if the wind is blowing right you might hit the Queens hydrant. But it's not really very likely. And that was the point of SOAP. Enterprise developers could say they were conforming to the spec without all that messy interop. Sun and IBM were the two main culprits there, although I'm pretty sure Microsoft had people in the process who liked incompatibility. And once that ball was rolling, all kinds of assholes piled on. What started out as a beautiful idea and simple protocol turned into such a prolific nightmare that to this day people cite it as the canonical disaster of a standards body run wild.
Believe it or not there are people who see interop as a bad thing. It interferes with their business model, which is getting dumb customers to pay them big bucks to deliver the interop that the simple specs deliver for free.
I thought OAuth 2 was a bad idea when I heard about it. I thought it was even worse that they were calling it OAuth 2, because that would hurt OAuth 1. I had a stake in it because I had already implemented OAuth 1. Pretty sure I said something about it, but I got a pat on the head saying "You don't understand, this is going to be just like OAuth 1 but much better." Uh huh. Where have I heard that before?
So now that community has to try to put it back together. Obvious leadership could come from Facebook, which as far as I can see, drove the move to 2.0. Seems it would be fair for them to also implement OAuth 1 now, and let's do some interop testing to make sure it works with Twitter's implementation. Then everyone else will have a solid base to shoot for. And an end to the confusion about what the future holds. Let's forget about OAuth 2.0. Let the IETF have it. Pop the stack and let's move on.
|