OAuth - why is it so complex?

I just wanted to express my appreciation for the horrible invention of OAuth2.
Their main "selling" point: OAuth 2.0 focuses on client developer simplicity lol

2 Likes

It IS simple! Compared to the alternatives. Be glad you aren't having to use SAML!!

...easy to say, now Bart has put all the hard work in :laughing::laughing::laughing:

1 Like

Well, I AM part of the NHS working group looking at Identity Management, authentication and authorisation across the NHS. :wink:

Ofcourse it is, could you please enlighten the whole world how one can perform an OAuth2 authorization request - without a browser.

OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

It isn't meant to be used for unattended logins unless you use the OAuth 2.0 Device Authorization Grant.

Ok weird, according to you it is "simple", while according to the one of the OAuth architects it is extremely complex and needs an overhaul.

Getting back to the topic... If others have also tried this new version, please share your experience here, and let us know whether you are using HTTPS or HTTP.

(Discussion now moved to its own topic)

1 Like

The use in the majority of cases IS simple and is immensely effective. It means we can extend our single sign-on capabilities with minimal effort while making use of federated identity services.

Doesn't mean that it can solve world poverty.

One of the problems is how it encourages people to conflate authentication with authorisation and that DOES end up making things complex.

Federated identity management is, as a whole, incredibly complex and don't even get me started on federated permissions - another project I'm working on is called the NHS Digital Staff Passport and if you want complex, that'll provide it in spades.

But if you want to log into a service that uses OAuth using your Microsoft/Google/GitHub or god help you, Twitter or Facebook identities, then it is mostly a fairly simple configuration exercise. If you want to do it with SAML, not so much.

I think it's worth reading this (rather long) article:

Having implemented it several times, I would save my own opinion on OAuth for myself :slight_smile:

As such we often see OAuth 2 and OIDC used in the wrong context

Yup, that is certainly the main problem. :grin:

It isn't that OAuth is "Simple" (capital S) but rather that it is simpler at what it does than the standards that came before it! Doubtless some clever souls will invent still better things.

IDAM is a very complex area. Even more so when you get into federated IDAM and "Zero Trust" models. The solutions to federated IDAM are never going to be "Simple".

I had to give up and throw the towel in with this a couple of years ago.
We use a water telemetry system in AU "Observant" they offer the OA2 for 3rd party development.
The plan was to get all the values from the Observant devices using nodeRed and merge them with other devices and protocols, then send batch data to the cloud via Mqtt.

We couldn't get past the unattended part. We ended up web scraping, but that was against T&C of the app, so had to stop!
Any developments on OA2 please share, would love to try this again one day!

The problem is that OAuth's primary use is for attended authentication. For unattended, I think that you have to use the Device Auth Grant. But bear in mind that I'm not primarily a developer but rather an IT Enterprise Architect so the details of how to code such things are not normally in my bailiwick any more.

All I can say is that for unattended use, OAuth providers generally have a means to register application-level access rather than user-level. For example, I set that up the other day on our Azure Tenancy for some testing of one of the Microsoft SDK's for node.js that gives access to the Microsoft Graph OData API's. My idea being that I could set up a set of Graph query functions that could be called from Node-RED for doing things like user queries. Being a global admin on our Tenancy has some nice benefits in terms of R&D. :grin:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.