[OAUTH-WG] OAuth: The frustrating lack of good libraries
Daniel Fett <fett@danielfett.de> Tue, 01 March 2022 17:18 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C66E3A0D5B for <oauth@ietfa.amsl.com>; Tue, 1 Mar 2022 09:18:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.602
X-Spam-Level:
X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gscadYC8ggte for <oauth@ietfa.amsl.com>; Tue, 1 Mar 2022 09:18:08 -0800 (PST)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 825323A0B28 for <oauth@ietf.org>; Tue, 1 Mar 2022 09:18:08 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 1090418050 for <oauth@ietf.org>; Tue, 1 Mar 2022 17:18:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646155083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=gLxatYnSKpYsa9hKGNfu8ID596TXdkmoXwbUkrSW9BQ=; b=Dk+JiGey8Jt3pdPl5B1WeqHvbf95KtPtcYKViwMBKYSiSF8BcEyr9o/pQJO2If7V9RpgvK 1Zg56BxS3aOEagE76e9wJCkWoLkjU6cnS0Nac7WuBJ7dM2fOayDn4T0StUJKlvGQFgKRN8 0oPtJJL+QUdWKmv+4nND0vxEAMcjdyI=
Content-Type: multipart/alternative; boundary="------------HlZWd4xGG1o3PeCiCN7vufT0"
Message-ID: <c9e1d356-2f28-e82f-d021-5331e2fc366d@danielfett.de>
Date: Tue, 01 Mar 2022 18:18:02 +0100
MIME-Version: 1.0
To: oauth <oauth@ietf.org>
Content-Language: de-DE
From: Daniel Fett <fett@danielfett.de>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646155083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=gLxatYnSKpYsa9hKGNfu8ID596TXdkmoXwbUkrSW9BQ=; b=letK8f4hHAdgERQ9WWk+2TR6O4rZGqiMxmZUmbTYvr33NmJyQMRiF91bJnP7Aa+mVBgi2Q 0VTGBlsANxVFiwYY9ysDoGJFPEYy6XOZxSdEHE4EthuMF3iPXcaQa7aKsEwK5XkfJoQUB3 ZsK5BLW3NuqzniW8krijbl7S48XuZrk=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1646155083; a=rsa-sha256; cv=none; b=QEFAlLMHD0eUU4wOAOBDgo+FWcEnGg8jJRKf65kCt3bsN9xom+SI7hB93Y/Q01sOIYW8Dz 6ZtnqmkLkp8BOVRo27K8aZKFuz8k39U1Mw29BiJFIQVEJNByDnC2k5ahBw4SdZ/cK4YsFW QA0Y85GgKQj/688f3bAsNOLaTf/NGxc=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: ---
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/h9_Ki1UYT8sS0xKqGrzWI6yHaNA>
Subject: [OAUTH-WG] OAuth: The frustrating lack of good libraries
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2022 17:18:14 -0000
** *Hi all,* * While helping clients to onboard into the yes ecosystem, in my consulting work, and in discussions with developers implementing OAuth 2.0, one topic comes up increasingly often: The (somewhat frustrating) lack of good, modern, and universal OAuth libraries. Many of the libraries out there have one or more of the following drawbacks: * They are not maintained any longer * They are not well documented (e.g., it is often unclear which specifications are supported) * They support only a subset of the OAuth 2.0 specification * They work only with selected providers (e.g., Google, Facebook, etc.) * It is unclear whether they follow recent security recommendations * They do not support modern features, such as PKCE, AS Metadata, MTLS, etc. Exceptions exist, of course, like Filip's Node.js implementation and the nimbus library for Java. But apart from those rare cases, when a developer asks me what library to use, my answer is often: "I don't think there's a good one in your language". It is a telltale sign that many providers of OAuth protected APIs also provide a custom OAuth implementation in their SDKs, which they then often have to maintain for a number of languages. This creates unnecessary costs and friction, e.g., when introducing new security features. At the same time, practically every language/framework comes with a TLS stack and making HTTPS requests is often just a few lines of code. Why aren't we there yet with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single protocol like TLS, but the mentioned libraries show that this does not preclude a comprehensive library support. If I had to speculate about the reasons for this mess, I'd say that there are three: * The core of OAuth is easy to implement. The need to create or use a library might not be obvious to developers. Of course, if you want a proper implementation with correct error handling, observing all the security recommendations, etc., the effort is huge. But just getting OAuth to work for one specific use case is relatively easy. * OAuth is traditionally hard to configure: authorization and token endpoint URLs, client id and secret, supported scopes (and claims for OIDC), supported response types and modes, and required security features are just some of the things a developer has to figure out - often from the API's documentation - to get everything up and running. Even though configuration is not the same as implementation, I imagine that this complexity can lead to the perception that there are barely any commonalities between different OAuth flows. There might be no value, after all, in an OAuth library, if I have to provide so many details myself. * With many extensions and specifications to choose from, it can be hard to select a reasonable subset to support. What can we do about this? I'm not sure, but I have a few ideas. * Of course, one step would be to increase visibility and documentation for existing implementations: Beyond listing libraries (like the list on oauth.net), it would be great to have a place to go to to find libraries based on their feature support. I'm sure there are more good libraries out there. * The OpenID Foundation has a great set of conformance tests for OIDC, FAPI and other stuff. Creating conformance tests for OAuth would be harder, given that the framework leaves many options for implementers to choose from. I’m not sure if running a conformance programme would be in the scope of IETF, but it can be worthwhile to think about if we could support such an endeavor. * The single most important thing to do would, in my opinion, be to set a goal: Tell library developers and language maintainers what can be expected from a good, modern, and universal OAuth library. Such a recommendation would shine a light on the most important extensions for OAuth like PKCE and might even be a prerequisite for conformance tests. It may turn out to be OAuth 2.1 or something else. For me, this would in any case include AS Metadata, as that is the single most valuable building block we have to address configuration complexity. I would be interested to hear what others think about this. Is this a problem worth addressing? Are there other solutions? Is this out of scope of our work here? -Daniel * -- https://danielfett.de
- [OAUTH-WG] OAuth: The frustrating lack of good li… Daniel Fett
- Re: [OAUTH-WG] OAuth: The frustrating lack of goo… Warren Parad
- Re: [OAUTH-WG] OAuth: The frustrating lack of goo… Sascha Preibisch
- Re: [OAUTH-WG] OAuth: The frustrating lack of goo… Joseph Heenan
- Re: [OAUTH-WG] OAuth: The frustrating lack of goo… Daniel Fett
- Re: [OAUTH-WG] OAuth: The frustrating lack of goo… Warren Parad
- Re: [OAUTH-WG] OAuth: The frustrating lack of goo… David Waite