OAuth 2.0 implementation

Demian Brecht demianbrecht at gmail.com
Tue Mar 27 07:30:32 CEST 2012


On Monday, 26 March 2012 21:24:35 UTC-7, Ben Finney  wrote:
> Roy Smith <roy at panix.com> writes:
> 
> > In article <878vimhfdp.fsf at benfinney.id.au>,
> >  Ben Finney <ben+python at benfinney.id.au> wrote:
> > > So, if I want to be free to choose an identity provider I trust, and
> > > it's not Facebook or Google or Twitter or other privacy-hostile
> > > services, how does OAuth help me do that?
> >
> > It doesn't.  Well, in theory, it could, but in practice everybody's 
> > OAuth implementation is different enough that they don't interoperate.
> 
> Thanks. So OAuth is a pseudo-standard that is implemented incompatibly
> to the extent that it doesn't actually give users the freedom to migrate
> their existing data and identity at will to any other OAuth implementor?
> 
> -- 
>  \         “Money is always to be found when men are to be sent to the |
>   `\   frontiers to be destroyed: when the object is to preserve them, |
> _o__)     it is no longer so.” —Voltaire, _Dictionnaire Philosophique_ |
> Ben Finney

OAuth 2.0 is the emerging standard (now passed on to IETF) to deal with providing access to protected resources. OpenID is a standard used to deal with authentication. While there is some overlap (OAuth can be used for authentication as well), the goals of the two protocols are different.

OAuth 2.0 is still in draft status (draft 25 is the current one I believe) and yes, unfortunately every single server available at this point have varying degrees of separation from the actual spec. It's not a pseudo-standard, it's just not observed to the letter. Google is the closest and Facebook seems to be the farthest away (Stack Exchange is in close second due to building theirs to work like Facebook's). That was pretty much how this work was born. I wanted to be able to implement authentication and resource access over multiple providers with a single code base.

So, in answer to your questions:

1) If you're only looking for a solution to authentication, OAuth is no better than OpenID. Having said that, with the apparent popularity of OAuth 2.0, more providers may support OAuth than will OpenID (however, that's just my assumption).

2) OAuth is all about centralized services in that it is how providers allow access to protected resources. Whether it's a social network or SaaS (such as Harvest: http://www.getharvest.com/), if there isn't exposure to protected resources, then OAuth becomes pointless.

3) If you're looking to implement OAuth authentication with a provider that you trust, grab the sanction source, implement said provider and send a pull request ;)

4) Data migration doesn't happen with OAuth. As the intent is to allow access to protected resources, migrating Google to say, Facebook just wouldn't happen :)

Hope that makes sense and answers your questions.
- Demian



More information about the Python-list mailing list