OAuth 2 is definitely not going anywhere any time soon. It solves a suite of problems really well, in a way that developers can get right more often than not. Even so, I think it’s time to start looking toward what’s next. It’s not up to me whether this deserves the OAuth branding or not, but I wanted people to both be aware of the work and to start the conversation on it. I think there’s some good work that we can do here.
— Justin On May 6, 2019, at 4:42 PM, Hans Zandbelt <hans.zandb...@zmartzone.eu<mailto:hans.zandb...@zmartzone.eu>> wrote: OAuth 2.0 has its merits and will be around for the next 20 years or so; yet we're bumping into its limitations every day if not only for its complexity and the incomprehensibility for regular IT peeps that don't have the full historical background; support for transactions is obviously missing today; I'm in for simplifying things, collapsing request parameters, use cases, PCKE, POP etc. in a non-backwards compatible protocol and suggest to adopt something similar to what you propose to become OAuth 3.0 (there, I said it ;-)) Hans. On Mon, May 6, 2019 at 8:44 PM Justin Richer <jric...@mit.edu<mailto:jric...@mit.edu>> wrote: In a vein related to Torsten’s recent thread and blog post, I’ve also been working on a proposal around Transactional OAuth. As many of you know, I wrote a blog post about the basic idea last fall, and now I’ve got something a bit more concrete online that people can poke around with. I’m calling it “XYZ” just to give it a name, and it’s online here: https://oauth.xyz/ I need to be very clear: This is not wire-compatible with OAuth2, but is instead a transactional (intent-pattern) protocol that implements a lot of the core concepts and a few new ones in a different framework. There have been a lot of attempts to extend and adapt OAuth in the last few years, and in my opinion that’s gotten us painted into a bit of a corner as we keep trying to solve new problems. By breaking away from backwards compatibility, I found that was able to both simplify a lot of the concepts, make different actions more consistent, and make it more widely flexible. Also to note, I’ve read through Torsten’s draft, and I think that his ideas of what’s in a “Structured Scope” could be a replacement for the hand-waving idea I have in the “resources” section of XYZ. I’m continuing development of this protocol, including a couple toy implementations, all of them open source. I have started a writeup in spec-language, and I plan to have it cleaned up and submitted prior to Montreal — where I’ll be attending in person and hope to discuss this as a potential WG item. — Justin _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- hans.zandb...@zmartzone.eu<mailto:hans.zandb...@zmartzone.eu> ZmartZone IAM - www.zmartzone.eu<http://www.zmartzone.eu/>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
