First, a few disclaimers. This is the unofficial work of a single individual (me), not a community endorsed specification. While it is a significant improvement over the official OAuth Core 1.0 specification (if I may say so myself), there is only one OAuth Core 1.0 specification, and until decided otherwise by a strong community consensus, it will remain the only one. And last, this revision was designed as a purely editorial rewrite of the specification. It should not change how the protocol works in any way (except for a few bug fixes which were discussed and agreed to by the community).
Now that I got that out of the way…
I am excited to announce and share the publication of the unofficial OAuth Core 1.0 “Editor’s Cut” edition (you know, like they do with movies). This is what OAuth would have looked like if I had 2 years of specification writing experience prior to writing the original specification (editorially speaking).
As I wrote before, I decided to revise the core specification as we prepare to begin the standardization work within the IETF. I wanted to have a better, more consistent baseline to work with, but even more, I wanted to offer developers a better document to read today, instead of having to wait for the IETF profile of the protocol which is expected to take about a year.
The result is a completely new approach to explaining OAuth. It includes a new, much simplified set of terms (gone are the confusing consumers, service providers, and multiple types of tokens). The new document structure has also been completely revised, flipping the specification on its head. The new specification first explains how to make OAuth-authenticated requests, before explaining how to obtain tokens via redirection.
Another benefit of the new format is that it places less emphasis on the browser-based authorization workflow. Instead, it positions it as one of many possible methods for exchanging usernames and passwords for tokens.
This new “Editor’s Cut” is still a draft. I hope to receive feedback and comment from people who have read the official specification, as well as people reading it for the first time. Even if you have read OAuth Core 1.0 before, you should read this from start to finish. This is a brand new document (except for the security considerations section which is mostly the same).
(For all you HTML-challenged folks, the draft-hammer-oauth IETF version has been updated to this new edition.)