OAuth

What is OAuth?

OAuth is a powerful web authorization service that lets user exchange tokens for access to server-side resources. In theory, this protects the users credentials by keeping them hidden after the initial exchange. Tokens expire in a set amount of time, warding against unguarded terminals.

A Case For

OAuth is a powerful system with a userbase that includes some of the largest contemporary web traffic servers. It's security is not to be laughed at, and when implemented correctly, has no effect on the end user. It is as strong as it is transparent.

A Case Against

As all-encompassing as OAuth is, I could not help but feel like it was too encompassing in my brief encounter. Now, I am by no means an experienced OAuth adventurer who can safely tell you the depths of its waters, but the lengthy pains I encountered trying to implement OAuth was sufficient enough to drive me to more hospitable frameworks.

In trying to use OAuth, as an example, I had to use no less than 8 arguments to try to create a user session. This is of course, after staring at the docs for what seemed like forever and eventually require-ing someones JS workaround into my app. So bear in mind, 8 arguments is the short version.

oauth_consumer_key
oauth_token
oauth_signature_method
oauth_timestamp
oauth_nonce 
var consumerSecret
var tokenSecret
and the resulting: oauth_signature

Could I probably have stopped whining, dug deeper, and eventually have implemented OAuth? Definitely. Was I going to? Nope. Even if I wasn't pressed for time (which I was - it was a 2 day whirlwind sprint), I could probably have spent my time better writing an alternative.

I'm a firm believer in a framework doing your work for you. (Ask me about my Backbone MVC pains.) And OAuth did not seem to fulfill that basic premise. In fact, it was starting to look like OAuth was a string concatenator, rather than a framework. The straw that broke the camel's back was the oauth_nonce. It was basically a long string of random characters. As silly as this sounds, it was this level of lack of abstraction that made me finally move on. It was in the middle of writing the randomStr() function that I realized - what am I doing? I am solving a problem to solve a different problem to solve an authentication problem. I eventually decided to look elsewhere for my authentication needs.

Fin

As you can probably tell by the comparative length of the arguments, I dislike OAuth. That does not mean that I don't think it's a great authentication setup - I just don't think it is a very good API. I would say that OAuth seems a fine system for a high security requirement and free man-hours on the dev team for that purpose, but for small scale appliations, I recommend looking elsewhere.