OAuth a closed system?
Hm. This was really a major surprise: [OAuth spec]
OAuth includes a Consumer Key and matching Consumer Secret that together authenticate the Consumer (as opposed to the User) to the Service Provider.
I.e., the service provider needs to know the consumer service in advance. Although the spec says
Consumer Secrets MAY be an empty string when no Consumer verification is needed.
the approach is clear.
So, what’s my issue? It’s simply that the Consumer Key kills spontaneous federation. For example, OAuth might get very handy with the opening of the social networks, but not all social networks can (and much less should!) be registered to each other; with these 93 services, it would require 8556 registrations. Furthermore, these registrations could slow the growth rate of new services as the users had to wait for the services to register with each other. And, while I wouldn’t like to sound too cynic, this allows services to completely deny federation with other, chosen services. (Read: ‘big services’ may easily cripple ‘small services’ by closing them off).
Please correct me, but it seems the OAuth board took a step backward from OpenID. I’m a huge fan of OpenID, and I’d like to see also the OAuth taking the bright path.
Decide whether or not to register your web application. Registered web applications have the advantage of being trusted by Google; the standard caveat displayed to users on the Google login page is omitted.
Vs. “you MAY not need to register your application.” (Emphasis not mine, although the quote somewhat adapted..) But, at least the Google doesn’t punch you to the nose for a welcome (and that’s really something.. :)
This was also interesting (from OAuth; my bolds):
Service Providers SHOULD NOT rely on the Consumer Secret as a method to verify the Consumer identity, unless the Consumer Secret is known to be inaccessible to anyone other than the Consumer and the Service Provider.
Well, is it secret or not.. So, you still need to do IP-based authorization? This also undermines the “allows the Service Provider to vary access levels”.
I hope that I’m wrong and someone corrects me. I really would like to have an open federation mechanism.