We are finalizing a draft for OAuth 3.0: this new authorization protocol is a revolution. The main goals are openness and simplicity.
OAuth 3.0: The New Open Protocol Paradigm
OAuth 1.0 is a protocol but OAuth 2.0 was considered to be too loose and has been reclassified as a simple framework. A lot has been said about this issue: OAuth 2.0 has been criticized to its compromises.
However, the real problem is that protocols are too strict for today’s internet. It was possible to agree on very strong rules when the discussion was limited to a small circle of scholars. Nowadays, Standford, the MIT and the CERN no longer rule the internet. Hence, we need to open protocols and make their rules forkable by anyone.
One could argue that protocols are meant to provide fixed rules, but we disagree. In fact, choosing your own protocol rules is de facto the new standard. For example, the emergence of multiple crypto-currencies based on the Bitcoin protocol proves that openness is the new standard. This is the new paradigm underlying the OAuth 3.0 protocol.
Our draft will be studied by the Internet Task Force in the coming weeks. We hope other standards will also tolerate flexible rules in the future. We believe HTTP and SMTP are next.
OAuth 3.0 Overview: 3 Key Features
To understand the OAuth 3.0 revolution, you need to be familiar with the core architectural evolutions since 1.0 and 2.0:
* 0 Token: this is a logical evolution. OAuth 1.0 started with 2 tokens, which was a heavy process. OAuth 2.0 brought this number down to 1, but we are now taking it to 0. This 0 token architecture allows a very efficient authorisation flow: much less verbose.
* Plain-Text Encryption: OAuth 1.0 imposed a complicated “dance” with digital signatures. OAuth 2.0 removed this need by relying on HTTPS rather than digital signatures, but again, we are taking it one step further. In a groundbreaking paper we are about to publish, we will provide all the details about our new security revolution. Cryptography didn’t change much since 1976, when the idea of public-key cryptosystems was first introduced. Whitfield Diffie and Martin Hellman did only half of the work: we have discovered that by making public both the private and the public keys, we would remove the need for digital signatures or TLS. Several government agencies support our work in the domain.
* Any Grant You Like: OAuth 2.0 went from proposing 1 type of grant to 4. Again, we improve the existing by providing unlimited flexibility.