I have to admit, I’ve been surprised by the tone and magnitude of the reaction to my announcement. I’ve been following the reactions on Twitter and every follow-up blog post I could find. I’d like to share some follow-up thoughts about this decision and the reactions to it. First, I didn’t say ‘dead’, I said ‘bad’.
Everything is fine
Few people came to the defense of the protocol, the working group, and the IETF. Surprisingly few. In fact, no one has raised the issue on the mailing list. This is not exactly a Hy-Brazil moment, but some of the reactions do make me wonder.
One response worth reading was from John Bradley in a post titled “The OAuth 2 Sky is NOT Falling”. John is a past collaborator (XRD) and someone I respect and his post offers a quality reaction from someone on the other side of the issue. As a leading contributor and co-author of the OpenID Connect family of specifications, it is easy to understand why John and that community are happy with OAuth 2.0 and the process it followed.
OpenID Connect is heavily based on OAuth 2.0 – I personally find it overly complex. Most of the OpenID Connect members joined the OAuth list in order to protest decisions that would have made it too restrictive for OpenID Connect to use OAuth 2.0, and their participation explains a few of the underspecified areas of the specification.
Another community that has been very satisfied with OAuth 2.0 is UMA. Some of the UMA project leads are people are like and respect, like Eve Maler. In the past I have invited members of the UMA community to share their project with the OAuth community on the mailing list, at IETF meetings, and on this blog. It has been a long time since I read up on UMA but I was always skeptical about its relevancy to the consumer web world I care about. UMA is also based on OAuth 2.0 and relies on many of its extensibility areas to operate. If you want to get an idea of the complexity (and richness) of this world, this is a good place to start.
One last example of an OAuth 2.0-based work that can help explain and justify the “decisions made” on OAuth 2.0 is OMAP (Online Multimedia Authorization Protocol). OMAP is an enterprise specification dealing with authorizing access to multimedia content and was authored by lead players in the space. I honestly don’t understand the value of basing this work on OAuth 2.0 or how such an extension could be claimed to operate in the same echo-system. It is the perfect example of the real use cases guiding the working group and the real-world application some members of the group were focusing on.
So, yeah. For some people “the sky is not falling” and OAuth 2.0 is a success. It is easy to see where they are coming from and why they hold this view. If OAuth 2.0 was a contest, they are clearly the winners and they won fair and square by playing by the IETF rules. I just don’t want to lend it my name, whatever it is worth.
Eran is an asshole
I fully respect the opinions of those who have directly interacted with me in person or online and formed positive or negative opinions about me. My style is aggressive, direct, honest, and often combative. I don’t (and cannot) pretend otherwise. All it takes is reading a small sample of my blog posts or mailing list communications to get a clear and accurate sense of who I am and what I’m like. I am exactly the same way in person.
But this also means that three years into this effort, to paint my move in negative personal attacks is childish and hypocritical, especially from people who never interacted with me directly (or those who pretended to be my friends).
In a comment to my announcement, Dick Hardt in a personal attack, points to the fact that I insisted on full editorial control and therefore, can only blame myself. The facts are somewhat different. I was offered to join the editorial team with two others. I declined and said I don’t edit with other people, but happy to let them do the work without me. I was made solo editor. It was all very pleasant. The IETF process makes it trivial for the working group chairs and area director to remove, replace, or supplement an editor at will. They really don’t need any reason.
A few months ago, when I started considering removing my name from the specification, I reach out to Mr. Hardt as a listed co-author on the document. His advice? “I don’t think it will serve you well. Better to stay the course and be disappointed with result. You can remain editor and blame IETF post editor role process.”
Facebook and Google are doing just fine thank you
A quality, respectful, and worthy response from Tim Bray makes the argument that clearly, the existing (and very successful) deployment of OAuth 2.0 on the web tells a different story. I don’t disagree. As I said before, in the right hands, after applying the right security and making some decisions, OAuth 2.0 can be great. Facebook made those decision (one of which was to ignore the last 20-something drafts) and so did Google. However, even Facebook with their vast resources had issues with 2.0 and ended addressing them with proprietary solutions (e.g. a callback signature, login parameters).
I would have been thrilled if the final result was a documentation of the Google or Facebook implementations and nothing else. That would have been a useful protocol.
If you are not sure what I am so upset about, it is the total lack of making choices. Given the new architecture and capabilities, OAuth 2.0 should have been much more restrictive and narrow.
The IETF is good, the IETF is bad
A few reactions focused on the IETF part of the story. No one seemed to offer an actual defense of the organization. Joe Gregorio offered one only to immediately take it away. At best, people pointed to past successes at the IETF as proof the organization is still relevant and effective. The problem is that their examples are all from two decades ago. The second line of defense simply states that standards are hard and that’s just the nature of the beast. OAuth 1.0 proves it doesn’t have to be.
I can live with all the reaction above. Even those dismissing my arguments or calling me an asshole. I expected those. What I didn’t expect was an overwhelming expression of joy and schadenfreude. I didn’t realize just how much this specification was hated among web developers. I knew people were not thrilled about it but never imagined the level of discontent.
What is actually upsetting is that all these people (and we are talking hundreds of individual posts on Twitter) never bothered to engage. Three years is a long time to hate something this much without sending an email to the mailing list expressing it. If only a fraction of these people showed up, we would not be here today. People actually were paying attention but doing nothing about it.
Now, that’s just sad and pathetic.
(As always, comments are welcomed)