OAuth 2.0 and OpenID Connect: Now What?

A former Toad recently asked my opinion about this article:
OAuth 2.0 and the Road to Hell
The question is well-timed: I'm in the middle of a big OpenID Connect / OAuth 2 implementation.

That article was written three years ago, but I think Eran Hammer is essentially correct: the standard (especially OpenID Connect) is big, complicated, and enterprise-y.

Overall, the loudest critique of OAuth 2 seems to be it's dependence on TLS. The argument is that 1.0 provided defense in depth with two layers of cryptography (TLS and signatures). I'm not convinced this is a big problem – we don't really expect this of other applications (SSH, and entire web itself, also rely on a single layer of transport encryption). And that's also misleading about the intent of 1.0 signatures, which were really designed to operate safely without TLS, so many implementations have only a single layer anyway.
Organizations that want a belt-and-suspenders approach to encryption can (and often do) use a VPN.

It's true that interoperability is an issue – unlike SAML (which is also enterprise-y, but has a handful of explicit protocol bindings), OAuth 2 is a framework, and much is left up to the implementor. For example, what do the bearer tokens mean? OAuth doesn't specify, so a server needing to verify a token must have out-of-band knowledge of the identity provider's implementation.

And this is where OpenID Connect helps. The most useful feature is support for compact, stateless security assertions in the form of JavaScript Web Tokens (JWT). A JWT is small enough to fit in an HTTP Authorization header, making it perfect for single-page applications (e.g. AngularJS) that need to authenticate directly with REST services. This is a new capability not possible with OAuth 1.0.

Now What?

Hammer concluded:

I think the OAuth brand is in decline. This framework will live for a while, and given the lack of alternatives, it will gain widespread adoption. But we are also likely to see major security failures in the next couple of years and the slow but steady devaluation of the brand. It will be another hated protocol you are stuck with. [emphasis in original]

Thee years later, I think it's safe to say this prediction has not come true.

Many large IDaaS providers have already adopted OpenID Connect (such as Microsoft Azure AD, Google, OneLogin, and SalesForce), and I expect it to become ubiquitous in the future.

Filed under:

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <cpp>, <java>, <php>. The supported tag styles are: <foo>, [foo].
  • Web page addresses and email addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Ready for transformation?