Off the back of all the recent Facebook changes I just read the OAuth 2.0 spec – it’s currently in a draft state, and according to this page, Facebook is currently the only implementation in the wild. This new spec attempts to pull together various authentication journeys rather than just the typical web app model. This is a great news – It seems to accommodate many different situations across differing devices with different capabilities, while maintaining a good level of consistency.
You didn’t expect me to have only nice things to say, did you? There are a couple of things I have to question.
It’s only a draft
Despite this spec being a draft, Facebook (who are represented in the working group) have gone ahead and implemented it anyway. Although this is a step up from the non-standard methods they’ve employed to date, it does make me wonder. Will the spec be finalised according to their implementation? Will they change their implementation if the spec changes? Or will they end up going in separate directions? (think ECMAScript 4/ActionScript). As with my gripes about the Open Graph, how “open” are standards when we have self-interested corporations in the driving seat.