[Members] OAuth 2.0 and the Road to Hell

Peter Saint-Andre stpeter at stpeter.im
Tue Jul 31 15:52:14 UTC 2012

On 7/31/12 9:35 AM, David Banes wrote:
> On 31/07/2012, at 4:16 PM, Peter Saint-Andre wrote:
>> On 7/30/12 2:10 AM, David Banes wrote:
>>> An interesting read from a key person within the OAuth project...
>>> OAuth 2.0 and the Road to Hell 
>>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
>> Hi David,
>> Having been quite involved with the OAuth standardization effort at
>> the IETF, I might have more detailed comments once I have had a
>> chance to read Eran's post. However, I wonder why you think it's
>> relevant to folks on this list -- do you think that something
>> similar happened with XMPP technologies?
>> Peter
> Hi Peter,
> No that hadn't crossed my mind at all but it's interesting that it
> has yours! :-)

Back in ~2001, when we were first contemplating the idea of
standardizing the Jabber protocols at the IETF, I recall that a few
people were concerned about the initiative because it would "suck the
soul out of Jabber" or somesuch. Overall I think it went well, but I'm
sure that if were doing it all again today we'd change some things
around (e.g., at the least we wouldn't do all those stream restarts!).

> I posted it just because I recalled OAuth over XMPP (XEP-0235) and
> that it had been deferred, I was wondering if this explained why it
> was deferred.

Well, XEP-0235 was using OAuth 1.0, but the new specs will be OAuth 2.0.
Once they're done at the IETF (and they are very close), it might be
worth revisiting XEP-0235 or similar concepts. Personally I think the
best area for re-use would be a SASL mechanism for OAuth.


Peter Saint-Andre

More information about the Members mailing list