22

The Web industry is shifting / has shifted towards using OAuth when extending API services to external consumers & developers. There is some elegance in simple....and well, the 3-step OAuth process isn't too bad ... i just find it is the best of a bad bunch of options.

Are there alternatives out there that could be better, and more secure?

The security reference is derived from the following URLs:

I've come across this over on the IT Security stack exchange and thought it was poignant from a security point of view:

Maybe SAML 2.0 is an alternative?

What about OpenID?

The purpose of this question is from a programming point of view.

Is OAuth the best option that exists today ...?

Do alternatives options exist which allow me to extend my Web Application to consumers that are better from a security point of view, implementation point of view, longevity (wont require rework in a few months), and enabling the support of mobile applications consuming my web application.

Community
  • 1
sdolgy
  • 323
  • 1
  • 2
  • 6
  • 2
    Better in what way? What do you see as being wrong with OAuth? – Dean Harding Jun 22 '11 at 11:55
  • http://en.wikipedia.org/wiki/OAuth#Security – sdolgy Jun 22 '11 at 12:11
  • "The Web2.0 industry is shifting / has shifted towards using OAuth" That's a bold statement. While SE is one of the few examples that do use OAuth, I don't feel that the majority of sites does. – Tamás Szelei Jun 22 '11 at 12:37
  • facebook, twitter, weibo, yahoo, google, foursquare...they all provide it for consuming their api/services..no? – sdolgy Jun 22 '11 at 12:45
  • 1
    The important questions is how many sites utilize them? – Tamás Szelei Jun 22 '11 at 13:13
  • @sdolgy: if you explain why you find other options (e.g. OpenID) lacking in comparison to OAuth, and explain in you question what OAuth lacks in security, then maybe more answers would be forthcoming. – Matt Ellen Jun 22 '11 at 14:27
  • @Matt No where have I stated OpenID is lacking in comparison. I am asking for alternatives to OAuth. – sdolgy Jun 22 '11 at 14:27
  • Also: you might find a more receptive audience over at http://security.stackexchange.com/ – Matt Ellen Jun 22 '11 at 14:30
  • I was refering to "i just find [OAuth] is the best of a bad bunch of options" which implied to me that in comparison to OAuth, OpenID is lacking. I don't know IT security, so I'm interested in answers to your question. – Matt Ellen Jun 22 '11 at 14:32

1 Answers1

12

Firstly, OAuth is not a login replacement. That's a task solved by OpenID and similar.

OAuth is a temporary data-transfer authorisation protocol. For the kind of task where you want to import your data from websiteA to websiteB, you'd use OAuth. But you'd still login to websiteA using OpenID. However, Google recently announced a protocol that combined the two, so I guess the difference between them is more muddy than before.

An alternative to OAuth would be Facebook Connect. I'm not sure I know of any alternatives to that (perhaps some of the RPC security systems could be suitable for the web)

gbjbaanb
  • 48,354
  • 6
  • 102
  • 172
  • Thanks for explaining the distinction. I held a completely wrong assumption! – Matt Ellen Jun 22 '11 at 15:08
  • are concepts of OAuth not used to authenticate smart phones to websites? like a twitter or foursquare app for android...? – sdolgy Jun 22 '11 at 15:09
  • 1
    @sdolgy: yes, it's a means of authenticating a thirdy-party app with your service without having to reveal your password to that app. – Dean Harding Jun 23 '11 at 10:05
  • It's worth mentioning that this doesn't cover all types of OAuth, e.g. Client Credentials. – Rob Grant Mar 20 '17 at 12:13