To put it briefly: Eran is in part right and completely, totally off base.
Let me first say that I admire Eran for sticking with it for so long. Being a document editor for something that needs 30 version to get “done” is not easy.
Eran is completely right in saying that OAUTH 2.0 has grown into a much larger beast than 1.0 and that there are now ways in which you can put 2.0 together that will be unsafe, non-interoperable and probably fattening too. Eran is also right in thinking that the WG has taken way to much time to reach this point.
However Eran is missing an important reason for why things developed they way they did. Eran touches on this when he talks about enterprise vs web.
In fact where Eran talks about enterprise it should really say “Microsoft”.
Early on and for several meetings the WG was totally devoid of traditional software vendors. It did (to some extent) attract the big web companies with a stated interest in OAUTH: Facebook, Google, Yahoo along with a few of the mobile operators. The mobile operators stayed on and have made important contributions but the web companies were a completely different story.
Personally I was surprised at the level of “ego-waving” going on at some of the early meetings and when WRAP appeared. I especially recall one WG meeting where a representative from one large stakeholder disrupted a session by walking out in the middle of an active round-table discussion stating boredom as a reason.
In its formative months when a WG depends on committed and active participation from invested vendors and operators the OAUTH WG had too little of this and too much casting about.
When MSFT turned up (and people who know me know that I seldom sing their praise) their presence stabilized the WG and it started to make progress but important time had been lost.
Is OAUTH 2.0 a failure?
Future will tell. I do not think the fact that FB is still operating on version 20 (or something) is a measure of the success or failure of the protocol. Having implemented OAUTH 2.0 myself I don’t agree with Eran that 2.0 is more complicated than 1.0 – quite the contrary. I agree with Eran in thinking that an important piece of OAUTH 2.0 has been lost by making signatures an optional part of the spec. Ironically the proponents of that change cited more or less the same reasons that the opponents of “WS-*” cite: simplicity.
If there is a lesson to be had, perhaps it is this: make it as simple as possible but no simpler. Unfortunately many standards organizations (SDOs) routinely fail to remember this.
The challenge going forward is how we measure interoperability for something like OAUTH where there are no reference implementations, few traditional software vendors (and those that exist add lots of secret sauce to the mix).
Will OAUTH 2.0 move beyond single-vendor ecosystems where if you want to talk to Facebook you’d better use the Facebook reference code if you expect anything to work?
I sure hope so.