Author here. I wrote this draft a few years ago after getting frustrated with OAuth 2.0. And, whilst I am grateful for llambda for posting it to HN, it was never meant to be published in this unfinished state. So please bear this in mind as you come across incomplete sections.
I never bothered to finish it back in 2010 since everyone seemed quite content with OAuth 2.0 at that time. However, now that it has been posted, I would love to know if anyone would like to see a completed version.
[Edit: Also, any criticisms of what's already there and thoughts on anything else you feel should be included would be really appreciated. Thanks!]
The only real problem with 1.0 is the difficulty of implementing it correctly and later debugging it when things go wrong (aka, the infamous generic "Invalid Signature" errors). In my mind, it would go a long way if generating a signature was based on a random nonce (say 16 bytes) + client id + client secret + access token.
I was a bit disappointed that the part on requesting and receiving a token, the really important part, was basically missing. Looking forward to seeing the proposed flow there. The stuff on hashcash is straightforward and hopefully foolproof for implementors and library authors.
The only hard suggestion I have is to fork the the client management part to to an extension standard draft. The Hypermedia zealots are going to have a fit when they see `action: "delete"`. Leave that discussion for later and get the rest out the door.
Great question. Unfortunately, it's not easy to do DNS queries from within today's browsers. However, all modern browsers already support [1] cross-origin XMLHttpRequests and the Access-Control-Allow-Origin header [2].
Thus a fixed URI like /.well-known/oauth.json would allow us to potentially do everything from service discovery to authorized requests from within client-side JavaScript apps without the need for server-side proxying or interpretation.
This is all way too complicated. All of the service-discovery you need can be encoded in the WWW-Authenticate header.
The only problem that OAuth really solves is coming up with some way for a third party to get an arbitrary set of revocable credentials that authenticate the (user, app) pair instead of just having every app use user credentials directly (because that's a phishing hazard). All we need is a standardized mechanism for getting those credentials, and then we can all continue to use Basic and Digest authentication over HTTPS.
OAuth 2.0 almost does that. It actually allows it, but it just has a little too much extra cruft. If you strip out refresh tokens, replace Bearer and MAC authentication with Basic and Digest authentication, mandate HTTPS, and add a couple of qop-options to the WWW-Authenticate header on the 401 response (see RFC 2617) that identify the authorization and token endpoints, you'd have a working standard, and it would be childsplay for anyone to implement it.
EDIT: So the 401 response would looks something like:
I think the reason most people give is that HTTP requests are usually easier to implement than DNS lookups. I do like the idea of DNS lookups tho, seems cleaner.
They serve different purposes; Persona is about authentication, OAuth _may_ be used for authentication but its original purpose is authorization - letting websites and applications access your content from other sites (e.g. letting an application post Tweets in your name) without giving them your password.
Interesting. We develop oauthlib (an OAuth logic implementation for python, https://github.com/idan/oauthlib). Will has a chat with the other contributors about implementing this.
I wrote an implementation of Oauth 2.0 as a Rails Engine (github.com/schneems/opro). IMHO any future "auth specs" should require a working implementation in code (any language).
My apologies. As donatzsky correctly assumed, I haven't checked the site on Windows for a long time. An overwhelming majority of my readers have tended to be on OS X or Linux. But thanks for letting me know. I'll make sure to test on Windows too the next time I do a design update. Cheers!
A simple fix would be to add Consolas as the first font in the list. It looks almost the same as Inconsolata, comes standard with Vista/7 and newer versions of Office (including the "Viewers"), and looks good on both Windows and Linux.
It's not just you. The code snippets use Inconsolata which, in my experience, looks splendid on Linux and absolutely crap on Windows. Presumably he never looked at his site from a Windows computer.
Is it possible to someone make distinctions in OAuth and OpenID/BrowserID? It seems like a lot of people use OAuth for identity verification rather than accessing data.
Or a different question, would it be possible to craft OAuth 3 in a way that it works great alongside BrowserID?
I never bothered to finish it back in 2010 since everyone seemed quite content with OAuth 2.0 at that time. However, now that it has been posted, I would love to know if anyone would like to see a completed version.
[Edit: Also, any criticisms of what's already there and thoughts on anything else you feel should be included would be really appreciated. Thanks!]