OAuth IETF Working Group

Via Joe Gregorio, it looks like OAuth is setting up a working group with the IETF.

Currently, those on the mailing list are working to draft the IETF working group charter, which states:

The Working Group will produce one or more documents suitable for consideration as Proposed Standard, based upon draft-hammer-oauth-00.txt, that will:

  • Improve the terminology used.
  • Embody good security practice, or document gaps in its capabilities, and propose a path forward for addressing the gap.
  • Promote interoperability.
  • Provide guidelines for extensibility.

This specifically means that as a starting point for the working group OAuth 1.0 (draft-hammer-oauth-00.txt) is used and the available extension points are going to be utilized. The WG will profile OAuth 1.0 in a way that produces a specification that is a backwards compatible profile, i.e. any OAuth 1.0 and the specification produced by this group must support a basic set of features to guarantee interoperability.

I’ve signed up for the mailing list, if for nothing else than to follow along and see how the IETF process takes a document from Internet-Draft all the way to RFC, but maybe I’ll find something of value to contribute, as well. We’ll see.

There’s already been some discussion on the list concerning the use of OAuth on protocols other than HTTP, such as XMPP. Since OAuth 1.0 explicitly references HTTP, the working group has added provisions to consider the “ability to address broader use cases than may be contemplated by the original authors.” So, the final RFC may address uses of OAuth beyond HTTP, which I find interesting.

Eran Hammer-Lahav is soliciting feedback from those who have read the OAuth 1.0 spec or have implemented it to “share as many problems, errors, failures, mistakes, misunderstandings, wasted time, etc. caused by the spec not being clear enough.” The goal is to fully rewrite the OAuth spec to “make it much easier to read without changing anything that will impact implementation.”