Re: [OAUTH-WG] New service provider that supports OAuth 2.0
Raffi Krikorian <raffi@twitter.com> Fri, 23 April 2010 17:07 UTC
Return-Path: <raffi@twitter.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E3743A6A79 for <oauth@core3.amsl.com>; Fri, 23 Apr 2010 10:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.624
X-Spam-Level:
X-Spam-Status: No, score=0.624 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cA5CifY55igU for <oauth@core3.amsl.com>; Fri, 23 Apr 2010 10:07:00 -0700 (PDT)
Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.221.181]) by core3.amsl.com (Postfix) with ESMTP id B79473A6829 for <oauth@ietf.org>; Fri, 23 Apr 2010 10:06:59 -0700 (PDT)
Received: by qyk11 with SMTP id 11so11699515qyk.13 for <oauth@ietf.org>; Fri, 23 Apr 2010 10:06:45 -0700 (PDT)
Received: by 10.229.188.212 with SMTP id db20mr419019qcb.5.1272042404403; Fri, 23 Apr 2010 10:06:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.213.194 with HTTP; Fri, 23 Apr 2010 10:06:24 -0700 (PDT)
In-Reply-To: <2513A610118CC14C8E622C376C8DEC93D54D66E0B5@SC-MBXC1.TheFacebook.com>
References: <C7F49997.2BF3F%atom@yahoo-inc.com> <137315b9d471f0b8c28d76a393cb31ef@mail.gmail.com> <1272034508.9646.46.camel@localhost.localdomain> <2513A610118CC14C8E622C376C8DEC93D54D66E0B5@SC-MBXC1.TheFacebook.com>
From: Raffi Krikorian <raffi@twitter.com>
Date: Fri, 23 Apr 2010 10:06:24 -0700
Message-ID: <q2u82c33f601004231006n873ca7d8s46cc6edbf5381676@mail.gmail.com>
To: Luke Shepard <lshepard@facebook.com>
Content-Type: multipart/alternative; boundary="0016363b86a8a768d80484ea7393"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New service provider that supports OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2010 17:07:02 -0000
just as a counter - twitter is taking a more paced stance. our @anywhere is built upon the oauth2 draft from a few weeks ago, and we're going to be spending a portion of next week catching it up to the current draft. its my personal goal to open the endpoint up so that developers can start to use oauth2 in the wild, however, i'm trying to balance that with minimizing churn. On Fri, Apr 23, 2010 at 10:03 AM, Luke Shepard <lshepard@facebook.com>wrote: > Hey Justin, al- > > I'll send a more complete email this afternoon with the details of the > Facebook OAuth deployment. For now I just wanted to respond to your > questions: > > > Is Facebook committed to tracking the spec in its development > > Yes. Our main focus right now is stability and bug fixing for what we just > launched, but as the working group releases drafts we will participate and > upgrade accordingly. We have been very vocal on the list the past month, > mostly because we wanted to get the core areas right before we launched. I'm > pretty happy with where we are as a starting point. > > > If so where does that put developers that need to change their > libraries? > > Now that it's in the wild, we must support backwards compatibility so we > don't break existing apps. For that reason, we will likely support only a > subset of the spec for some time. The parts that are still churning quite a > bit (desktop flows, signatures, etc) we will probably not launch until they > have stabilized, but the flows we do support (web server, user agent, client > credentials) we will maintain backwards compatibility. > > > I can't help but fear that we'll end up in situation where the largest > vendor's extensions become better supported than the real standard > > I agree that this is a risk, but we are doing everything we can to mitigate > it. The version of OAuth we pushed on Wednesday is up to date as of Eran's > Monday draft - I think that should be taken as a sign of honest good faith > to stay in sync here. There will no doubt be some churn as the spec evolves. > I promise to try to raise any issues we see early so that if Facebook ends > up not supporting some piece of the spec, the reasons are obvious. > > I think the real way to prevent that is to have multiple interoperable > implementations by different vendors so that library makers can test across > platforms. > > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of > Justin Richer > Sent: Friday, April 23, 2010 7:55 AM > To: Greg Brail > Cc: OAuth WG > Subject: Re: [OAUTH-WG] New service provider that supports OAuth 2.0 > > I was surprised that this announcement didn't garner more commentary > from the list here, as this decision worries me a little bit. There are > a lot of components of the OAuth protocol that aren't stabilized into a > real standard yet, and I'm worried that the Facebook implementation of > "OAuth 2.0" will become the de-facto standard before the IETF group can > come up with something final. > > Is Facebook committed to tracking the spec in its development? If so, > where does that put developers that need to change their libraries as > the underlying spec changes? If not, where does that leave the official > OAuth spec? > > I will say that I am absolutely *thrilled* to see Facebook at the table, > and Luke and David have done some great work here. I am ecstatic that > Facebook is pushing away from a proprietary stack into an open standard > at all. Even so, I can't help but fear that we'll end up in a situation > where the largest vendor's extensions and quirks become better supported > than the real standard, like with HTML and CSS. > > -- Justin > > > On Wed, 2010-04-21 at 16:05 -0400, Greg Brail wrote: > > Whoa, it was! > > > > > > > > So, does anyone know what Facebook is planning to do when the spec > > changes, which I assume it's going to keep doing for a while? > > > > > > > > I mean, the part of the spec that they're describing on the page has > > been pretty stable, but if I were building an app for the Facebook > > platform I'd be wondering. > > > > > > > > From:oauth-bounces@ietf.org <From%3Aoauth-bounces@ietf.org> [mailto: > oauth-bounces@ietf.org] On Behalf > > Of Allen Tom > > Sent: Wednesday, April 21, 2010 3:01 PM > > To: OAuth WG > > Subject: [OAUTH-WG] New service provider that supports OAuth 2.0 > > > > > > > > > > Well that was fast! > > > > http://developers.facebook.com/docs/authentication/ > > > > Allen > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
- [OAUTH-WG] New service provider that supports OAu… Allen Tom
- Re: [OAUTH-WG] New service provider that supports… Leah Culver
- Re: [OAUTH-WG] New service provider that supports… Brian Eaton
- Re: [OAUTH-WG] New service provider that supports… Greg Brail
- Re: [OAUTH-WG] New service provider that supports… Justin Richer
- Re: [OAUTH-WG] New service provider that supports… Luke Shepard
- Re: [OAUTH-WG] New service provider that supports… Raffi Krikorian
- Re: [OAUTH-WG] New service provider that supports… Brian Eaton