OAuth 2.0 has its merits and will be around for the next 20 years or so; yet we're bumping into its limitations every day if not only for its complexity and the incomprehensibility for regular IT peeps that don't have the full historical background; support for transactions is obviously missing today; I'm in for simplifying things, collapsing request parameters, use cases, PCKE, POP etc. in a non-backwards compatible protocol and suggest to adopt something similar to what you propose to become OAuth 3.0 (there, I said it ;-))
Hans. On Mon, May 6, 2019 at 8:44 PM Justin Richer <jric...@mit.edu> wrote: > In a vein related to Torsten’s recent thread and blog post, I’ve also been > working on a proposal around Transactional OAuth. As many of you know, I > wrote a blog post about the basic idea last fall, and now I’ve got > something a bit more concrete online that people can poke around with. I’m > calling it “XYZ” just to give it a name, and it’s online here: > > https://oauth.xyz/ > > I need to be very clear: This is not wire-compatible with OAuth2, but is > instead a transactional (intent-pattern) protocol that implements a lot of > the core concepts and a few new ones in a different framework. There have > been a lot of attempts to extend and adapt OAuth in the last few years, and > in my opinion that’s gotten us painted into a bit of a corner as we keep > trying to solve new problems. By breaking away from backwards > compatibility, I found that was able to both simplify a lot of the > concepts, make different actions more consistent, and make it more widely > flexible. > > Also to note, I’ve read through Torsten’s draft, and I think that his > ideas of what’s in a “Structured Scope” could be a replacement for the > hand-waving idea I have in the “resources” section of XYZ.. I’m continuing > development of this protocol, including a couple toy implementations, all > of them open source. I have started a writeup in spec-language, and I plan > to have it cleaned up and submitted prior to Montreal — where I’ll be > attending in person and hope to discuss this as a potential WG item. > > — Justin > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- hans.zandb...@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
