Oauth shows open protocols often get messy

2023-04-27 18:11:00 +07:00 by Mark Smith

Yesterday I wrote a commentary and writeup piece about ActivityPub, one of the contender protocols that has emerged in the federated social media space. A hot topic at the minute as many creators are looking for Twitter alternatives. What I discovered is that the visions of these protocols often sound wonderful, but the realities when you actually try to build something with them aren't always smooth sailing.

That's not to say that it isn't worth the effort, open solutions do offer fantastic long term benefits, but the road is invariably long and bumpy. With that in mind, it's useful to look at other open protocols just to get a sense of the types of difficulties involved in creating such a thing. One such open protocol is OAuth which has been used for authentication these past 10 years on pretty much all major APIs.

Robin Guideber writes:

The real-world OAuth experience is comparable to JavaScript browser APIs in 2008. There’s a general consensus on how things should be done, but in reality every API has its own interpretation of the standard, implementation quirks, and nonstandard behaviors and extensions. The result: footguns behind every corner.

Guideber would know, he's apparently been involved in building the authentication for many large APIs including amoung others Google (Gmail, Calendar, Sheets etc.), HubSpot, Shopify, Salesforce, Stripe, Jira, Slack, Microsoft (Azure, Outlook, OneDrive), LinkedIn, Facebook.

His article is ultimately a sales pitch for a product he's working on, however the piece is interesting nonetheless because it highlights very detailed real world examples of how these protocols often get stretched and used in different ways.

ActivityPub, which everyone is talking about at the minute, feels somewhat complicated to me. I'm interested to see whether Nostr gets much traction mainly because it's much simpler, but it too has issues. I wrote about some of these last week in a writeup piece about my experience setting up the Damus iOS app, which is a Nostr client.

Hopefully this gives a bit of perspective on open protocols. They come in all shapes and sizes, and adoption is hard to predict. It's clearly worth it in some cases. The world would be very different without, to name just a few, pop3 and iMap for email and TCP/IP, HTTP and FTP for the web.

For enquiries about my consulting, development, training and writing services, aswell as sponsorship opportunities contact me directly via email. More details about me here.