Fatih Pense's Blog

OAuth2: The standard that isn't

Thursday, August 1st, 2013

For the technologies I built on, I try to find the most decent thing with promises for today and the future. So if you are like me and want to create an API, you will come across with OAuth2. OAuth2 had seemed to me a great innovation given the fact that Google, Facebook, Github etc. uses OAuth2.

I was wrong.

Yes standards are beautiful, but OAuth2 isn’t really a standard. Google and Facebook uses different implementations and OAuth2 specification permits this. So you can’t write a client library once, and communicate with every OAuth2 API because everyone is using a different implementation of their own. So this vagueness breaks the promise of standard.

People on the internet comments that this hurts smaller API providers. Imagine a ecosystem of open-source API servers and clients around a well defined spec. However people need to ask questions on Stackoverflow about “client that works on x API”. Seems like a great opportunity for web is missed.

BTW, for my use case so far the best alternative is to design a simple API that uses https and token authentication. And you can crypt token for improved security if you want. I’m open to suggestions.

OAuth author and former OAuth2 lead author who left the project: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

More criticism on OAuth: http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html

(Update 2022: OAuth has come a long way, and compatibility improved in the meantime)