OAuth 2.0 implementation

Jack Diederich jackdied at gmail.com
Tue Mar 27 07:24:16 CEST 2012


On Tue, Mar 27, 2012 at 12:24 AM, Ben Finney <ben+python at benfinney.id.au> wrote:
> Roy Smith <roy at panix.com> writes:
>
>> In article <878vimhfdp.fsf at benfinney.id.au>,
>>  Ben Finney <ben+python at benfinney.id.au> wrote:
>> > So, if I want to be free to choose an identity provider I trust, and
>> > it's not Facebook or Google or Twitter or other privacy-hostile
>> > services, how does OAuth help me do that?
>>
>> It doesn't.  Well, in theory, it could, but in practice everybody's
>> OAuth implementation is different enough that they don't interoperate.
>
> Thanks. So OAuth is a pseudo-standard that is implemented incompatibly
> to the extent that it doesn't actually give users the freedom to migrate
> their existing data and identity at will to any other OAuth implementor?

Pretty much.  It is nice that it is published as a standard at all but
the standard is just whatever people are actually doing.  It seems
less hostile when you think of it as vigorous documentation instead of
protocols set in stone.

-Jack



More information about the Python-list mailing list