Has OAuth failed?

Question

I consider to use OAuth for Single Sign-On (SSO) with RESTful services. At first sight to use OAuth as the de-facto standard looked naturally to me. But I must confess that I don't understand how to use it for SSO. During studying OAuth I discovered more and more criticism of Auth - so much that I tend to think OAuth has failed.

OAuth is hard to implement.

Usability is poor.

Why Facebook doesn't implement OAuth today:

• "OAuth is more complex and less performant than our own native authentication mechanism"
• "OAuth WRAP looks like it will solve most or all of these problems"
• bad performance because of two many requests and long URIs
• "library quality is overall pretty poor"

Possibly WRAP, powered by Microsoft, Yahoo and Google, is going to replace OAuth.

What's going on with OAuth (and WRAP)?

So has OAuth failed? What are the alternatives for SSO - preferably those with wide acceptance or the perspective to become widely used? Would you prefer WRAP?

Answer 1

I've implemented OAuth in java and it is really hard to implement OAuth with HMAC-SHA1 signature (in my experience).

I wouldn't know whether it failed though. Yahoo has Browser-Based Authentication (known as BBAuth) which is another SSO for web applications. You can find more about BBAuth on Yahoo Developer Network (YDN)

Google has AuthSub which you can find on their API (I can't add links to it seeing I'm not privileged to do so).

Answer 2

Yes, yes it has.

Answer 3

OAuth isn't a SSO solution, it's a protocol commonly used for delegated API authorization. 3 legged OAuth allows a client requesting access to a protected resource to delegate authorization to the server hosting that resource. Basically, the user doesn't have to give their credentials to a 3rd party (the client), only to the server hosting the protected resource. OpenID may be a more appropriate solution if you are looking to implement single sign-on. You can also use OpenID OAuth extension which will allow you to combine authentication with authorization via OAuth.

Work is currently being done on OAuth 2.0. WRAP was developed as a stop-gap solution to address some use cases not covered by the original OAuth 1.0a spec. WRAP will not replace OAuth, rather ideas from WRAP will make their way into OAuth 2.0 where appropriate. A number of the original authors of OAuth, as well as one of the authors of WRAP have written about this here:

What's going on with OAuth?

So no, OAuth hasn't failed, in fact it's enjoyed pretty wide adoption. OAuth 1.0 will continue to be implemented by a large number of providers and eventually OAuth 2.0 will be available as well. WRAP is there for people who want to take advantage of the use cases it addresses now.

With regard to the difficulty of implementing OAuth as a client, why not try it out? The available libraries are of varying quality, but with a decent one you can usually implement an OAuth client in under a day.