[OAUTH-WG] OAuth: The frustrating lack of good libraries

Daniel Fett <fett@danielfett.de> Tue, 01 March 2022 17:18 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5C66E3A0D5B for <oauth@ietfa.amsl.com>; Tue, 1 Mar 2022 09:18:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.602
X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gscadYC8ggte for <oauth@ietfa.amsl.com>; Tue, 1 Mar 2022 09:18:08 -0800 (PST)
Received: from d3f.me (redstone.d3f.me []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 825323A0B28 for <oauth@ietf.org>; Tue, 1 Mar 2022 09:18:08 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 1090418050 for <oauth@ietf.org>; Tue, 1 Mar 2022 17:18:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646155083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=gLxatYnSKpYsa9hKGNfu8ID596TXdkmoXwbUkrSW9BQ=; b=Dk+JiGey8Jt3pdPl5B1WeqHvbf95KtPtcYKViwMBKYSiSF8BcEyr9o/pQJO2If7V9RpgvK 1Zg56BxS3aOEagE76e9wJCkWoLkjU6cnS0Nac7WuBJ7dM2fOayDn4T0StUJKlvGQFgKRN8 0oPtJJL+QUdWKmv+4nND0vxEAMcjdyI=
Content-Type: multipart/alternative; boundary="------------HlZWd4xGG1o3PeCiCN7vufT0"
Message-ID: <c9e1d356-2f28-e82f-d021-5331e2fc366d@danielfett.de>
Date: Tue, 1 Mar 2022 18:18:02 +0100
MIME-Version: 1.0
To: oauth <oauth@ietf.org>
Content-Language: de-DE
From: Daniel Fett <fett@danielfett.de>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1646155083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=gLxatYnSKpYsa9hKGNfu8ID596TXdkmoXwbUkrSW9BQ=; b=letK8f4hHAdgERQ9WWk+2TR6O4rZGqiMxmZUmbTYvr33NmJyQMRiF91bJnP7Aa+mVBgi2Q 0VTGBlsANxVFiwYY9ysDoGJFPEYy6XOZxSdEHE4EthuMF3iPXcaQa7aKsEwK5XkfJoQUB3 ZsK5BLW3NuqzniW8krijbl7S48XuZrk=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1646155083; a=rsa-sha256; cv=none; b=QEFAlLMHD0eUU4wOAOBDgo+FWcEnGg8jJRKf65kCt3bsN9xom+SI7hB93Y/Q01sOIYW8Dz 6ZtnqmkLkp8BOVRo27K8aZKFuz8k39U1Mw29BiJFIQVEJNByDnC2k5ahBw4SdZ/cK4YsFW QA0Y85GgKQj/688f3bAsNOLaTf/NGxc=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: ---
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/h9_Ki1UYT8sS0xKqGrzWI6yHaNA>
Subject: [OAUTH-WG] OAuth: The frustrating lack of good libraries
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2022 17:18:14 -0000


*Hi all,*


While helping clients to onboard into the yes ecosystem, in my 
consulting work, and in discussions with developers implementing OAuth 
2.0, one topic comes up increasingly often: The (somewhat frustrating) 
lack of good, modern, and universal OAuth libraries.

Many of the libraries out there have one or more of the following drawbacks:

  * They are not maintained any longer

  * They are not well documented (e.g., it is often unclear which 
specifications are supported)

  * They support only a subset of the OAuth 2.0 specification

  * They work only with selected providers (e.g., Google, Facebook, etc.)

  * It is unclear whether they follow recent security recommendations

  * They do not support modern features, such as PKCE, AS Metadata, 
MTLS, etc.

Exceptions exist, of course, like Filip's Node.js implementation and the 
nimbus library for Java. But apart from those rare cases, when a 
developer asks me what library to use, my answer is often: "I don't 
think there's a good one in your language". It is a telltale sign that 
many providers of OAuth protected APIs also provide a custom OAuth 
implementation in their SDKs, which they then often have to maintain for 
a number of languages. This creates unnecessary costs and friction, 
e.g., when introducing new security features.

At the same time, practically every language/framework comes with a TLS 
stack and making HTTPS requests is often just a few lines of code. Why 
aren't we there yet with OAuth? I'm well aware that OAuth 2.0 is a 
framework, not a single protocol like TLS, but the mentioned libraries 
show that this does not preclude a comprehensive library support.

If I had to speculate about the reasons for this mess, I'd say that 
there are three:

  * The core of OAuth is easy to implement. The need to create or use a 
library might not be obvious to developers. Of course, if you want a 
proper implementation with correct error handling, observing all the 
security recommendations, etc., the effort is huge. But just getting 
OAuth to work for one specific use case is relatively easy.

  * OAuth is traditionally hard to configure: authorization and token 
endpoint URLs, client id and secret, supported scopes (and claims for 
OIDC), supported response types and modes, and required security 
features are just some of the things a developer has to figure out - 
often from the API's documentation - to get everything up and running. 
Even though configuration is not the same as implementation, I imagine 
that this complexity can lead to the perception that there are barely 
any commonalities between different OAuth flows. There might be no 
value, after all, in an OAuth library, if I have to provide so many 
details myself.

  * With many extensions and specifications to choose from, it can be 
hard to select a reasonable subset to support.

What can we do about this?

I'm not sure, but I have a few ideas.

  * Of course, one step would be to increase visibility and 
documentation for existing implementations: Beyond listing libraries 
(like the list on oauth.net), it would be great to have a place to go to 
to find libraries based on their feature support. I'm sure there are 
more good libraries out there.

  * The OpenID Foundation has a great set of conformance tests for OIDC, 
FAPI and other stuff. Creating conformance tests for OAuth would be 
harder, given that the framework leaves many options for implementers to 
choose from. I’m not sure if running a conformance programme would be in 
the scope of IETF, but it can be worthwhile to think about if we could 
support such an endeavor.

  * The single most important thing to do would, in my opinion, be to 
set a goal: Tell library developers and language maintainers what can be 
expected from a good, modern, and universal OAuth library. Such a 
recommendation would shine a light on the most important extensions for 
OAuth like PKCE and might even be a prerequisite for conformance tests. 
It may turn out to be OAuth 2.1 or something else. For me, this would in 
any case include AS Metadata, as that is the single most valuable 
building block we have to address configuration complexity.

I would be interested to hear what others think about this. Is this a 
problem worth addressing? Are there other solutions? Is this out of 
scope of our work here?