Off the back of all the recent Facebook changes I just read the OAuth 2.0 spec – it’s currently in a draft state, and according to this page, Facebook is currently the only implementation in the wild. This new spec attempts to pull together various authentication journeys rather than just the typical web app model. This is a great news – It seems to accommodate many different situations across differing devices with different capabilities, while maintaining a good level of consistency.
You didn’t expect me to have only nice things to say, did you? There are a couple of things I have to question.
It’s only a draft
Despite this spec being a draft, Facebook (who are represented in the working group) have gone ahead and implemented it anyway. Although this is a step up from the non-standard methods they’ve employed to date, it does make me wonder. Will the spec be finalised according to their implementation? Will they change their implementation if the spec changes? Or will they end up going in separate directions? (think ECMAScript 4/ActionScript). As with my gripes about the Open Graph, how “open” are standards when we have self-interested corporations in the driving seat.
Looser security for JavaScript clients
The so-called “user_agent” journey serves the needs of front-end applications that don’t have access to a web server. (i.e. JavaScript only apps). This support comes at a cost to security because request signing is not required. (More to the point, signing would be redundant). The risk is a limited one – the “bearer tokens” must only be sent over SSL, so the worst you can do is take control of an app under the authentication of your own account. Still, I imagine it would be possible to post content that the app did not intend. (use your imagination!) My main gripe here is in justifying the trade off. The loosening of security is in favour of making apps easier to implement for more people – i.e. a Facebook business interest. I don’t think that’s a good enough reason to weaken the specification.
Thanks David. link changed
You might actually want to link to http://tools.ietf.org/html/draft-ietf-oauth-v2 which will stay up to date with each new draft. The second (well technically third) IETF Working Group draft was posted earlier today.
If you haven’t already, you should read http://www.ietf.org/mail-archive/web/oauth/current/msg02195.html. from Luke Shepard has he speaks to your first concern about Facebook shipping OAuth 2.0 while it’s still a draft. I’m far less concerned about the risk of fragmentation given that we’ve had the past few years to understand OAuth 1.0 in the wild.