Although I don’t consider myself a security expert, in last few weeks my paths have crossed with some open security standards / protocols / initiatives (call’em whatever you’d like): namely OATH (http://www.openauthentication.org/) and OAuth 2.0 (http://oauth.net/).
Regardless of the fact that those two are frequenly confused with each other, they have one thing in common - they just don’t play their role (anymore)…
- OATH - that was supposed to become an open standard for authentication is an “open reference architecture for strong authentication” that … doesn’t even have a reference implementation. As it’s open, you could expect zillion of open-source unofficial implementations available, but there are just few - for limited number of platforms and majority of those massively outdated… You don’t believe me? Try finding one for .NET.
- OAuth 2.0 - originally, it was supposed to become an open protocol for authorization. Currently it may be called anything BUT a protocol (they use the name “framework” atm), because it’s specification is so generic and high-level that it allows a lot of interpretation to the reader. No-one can assess it better than one of its creators Eran Hammer-Lahav: ”When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.” (http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/)
Should we care (or even worry)?
- In case of OATH personally I don’t care - the only point in open standard for strong authentication is to keep small token vendors in-game (if they are standard compliant). But is there a direct benefit to the ones who are supposed to use the tokens or own secured systems? I don’t think so.
- In case of OAuth 2.0 it’s a little bit different - it seemed like a great idea to easily “outsource” the authorization to external, trusted party - sadly it has it’s flows, so each of such providers had to implement their own “flavours” (obviously not standardized).
I still believe that OAuth 2.0 can be saved with additions like OpenID Connect (http://openid.net/connect/), but there’s nothing for granted.
P.S. If you’re interested in OAuth 2.0, try new Pluralsight course named “Introduction to OAuth 2.0, OpenID Connect and JSON Web Tokens (JWT)” by Dominick Baier (http://pluralsight.com/training/Courses/TableOfContents/oauth2-json-web-tokens-openid-connect-introduction).