Now that I had my rant about the misuse of OAuth, I thought I’d mention a couple things that I think should be fixed in OAuth. I’m kind of skipping the “why” here, just to keep things short. And no, this doesn’t fix the problems from my rant, I’m not seeing how those issues can be fixed from a protocol perspective.
1. Enhance permissions via attribute exchange
OpenID has a couple extensions, Attribute Exchange and Simple Registration Extension. Adding a similar simple attribute exchange capability to OAuth would allow for finer permissions control. While OAuth 2 has added a scope for requesting permissions, it still lacks the ability to define required permissions and optional permissions, along with information as to what those permissions will be used for. A core/common set of social permissions should also be developed (e.g. write-wall). Oh, and please stop pretending that write access also means read access.
2. Add a ’3rd party authentication’ setting
It seems some sites are using OAuth in place of OpenID for having a way to authenticate users, usually due to wanting access to some account data/apis as well. I see plenty of confused comments around the two. Since it seems OAuth will get used this way, OAuth should just provide an authentication id like OpenID. It is a bit out of scope for OAuth, but really sites just want a “Connect with X” capability where they can authenticate a user and easily ask them for more information. OpenID+OAuth could be used as well, but it’s just more complexity.
Maybe what I really want is OpenID Connect
3. Better UI handling
Google at least supports a method to tell them what size/kind of UI you want for the OAuth authorization page, this should be a standard part of OAuth. Having done two systems already that attempt to put that into a dialog, it’s easy to see that every single site does something different enough to make the process awkward.
4. Management discovery
Ever try to revoke access to an application? Know where to start? Knowing and managing what access you have given to what applications/web sites should be easy for the user. That management aspect is not really a part of OAuth, but the discovery of the management URL should be defined in OAuth. I might go a step further, and say that sites implementing OAuth should also have an OAuth management api. Then it would be simple to provide a centralized management ui in a Firefox addon. It would also be nice to know what data has been retrieved by who.