Report from the OAuth BoF at the IETF 74th Meeting

IETF Logo The OAuth BoF at the 74th IETF meeting was such a success, it ended early after the chairs had nothing more to say, and with applause from the audience. Later people went out of their way to tell me just how unusual the reception OAuth received was. Turns out it is actually hard to get stuff accepted for standardization in the IETF (or so I was told).

The meeting agenda included two main items: discussion of the charter status, and an overview of the specification draft current status. The idea was to start a list which will turn into our issues list once work officially begins.

The charter discussion was very interesting and for an unexpected reason. The discussion focused on the inclusion of the 2-legged use case as something the OAuth working group should attempt to address directly. The 2-legged scenario is the typical client-server situation in which the client simply authenticate itself against the server. HTTP define two such methods in RFC 2617 called Basic and Digest.

The reason why this is interesting, is because the 2-legged use case was considered out of scope in the first IETF BoF. The consensus back in November was that we should avoid talking about replacing Basic and Digest authentication, and focus exclusively on the delegation use case.

However, since that meeting, people started to realize that even though OAuth is focused on the 3-legged scenario (and beyond), people are still going to use it for 2-legged use cases. This led many people to change their view with the mindset that since people are going to use it that way either way, it might as well be architected correctly so it ‘does not suck’.

We are still going to focus on the delegation use case, and the charter is not going to include replacing or deprecating the existing HTTP authentication methods. Nothing that far reaching. But what we are likely to do is define a new method that will cover the OAuth use cases, and will also offer a good set of security and usability features for 2-legged usage.

On the issues list front, I presented a few slides going through the main open issues with the current specification, focusing on editorial changes, interoperability issues, security, and new functionality. You can see the slides below.