... | ... | @@ -16,7 +16,7 @@ It too high-level, it's not efficient at all. But that's the last of its problem |
|
|
|
|
|
It took them too much time to develop, they wanted to support even PHP4 web hosting (which was a mess), and ended up with a protocol where the interoperability between implementations is 0.
|
|
|
|
|
|
It's like they didn't care about security. SSL was not even mandatory (like, What?). Sure, they have the magic crypto stuff in the messages, but and attacker still can get access if SSL is not used. (really useful crypto!)
|
|
|
It's like they didn't care about security. SSL was not even mandatory (like, what?). Sure, they have the magic crypto stuff in the messages, but and attacker still can get access if SSL is not used. (really useful crypto!)
|
|
|
|
|
|
My favourite part of the RFC is the nonce in the first messages. basically, this nonce is sent from the client to the server, but never sent back. The server is supposed to keep track of every nonce and parameters used with that nonce to avoid replay attacks. The meeting when they decided that it was a good idea was probably something like this:
|
|
|
|
... | ... | @@ -43,9 +43,16 @@ If Facebook, twitter and Instagram failed to implement it, how do you think you' |
|
|
|
|
|
![](http://media.tumblr.com/3fcbf9e25ce3cdf8f70a782448c6be6c/tumblr_inline_mqini1Asvk1qz4rgp.gif)
|
|
|
|
|
|
## Guess what? Version 3!
|
|
|
|
|
|
But with a different name. It's called 'OpenID-Connect', it works on top of OAuth2 (...???) and standardizes the possible framework choices, introduces autodiscovery (which is optional, great), and a lot more complexity.
|
|
|
|
|
|
It's dead Jim. Let it go.
|
|
|
|
|
|
## So... Fenrir is the answer?
|
|
|
|
|
|
I sincerely hope yes, but in regards to OAuth, anything else would be better, really.
|
|
|
|
|
|
The big difference is that OAuth is above the HTTP layer, so it **_seems_** easy to implement. Fenrir will need the protocol application (for example apache for HTTP) to expose the right calls to let the application (for example the web page) receive the authentication information, but the programmer won't have to reimplement crypto and singing by himself.
|
|
|
|
|
|
---- |
|
|
\ No newline at end of file |