1

Ironically, right around the time I'm working on an Authentication Provider, articles like this start popping up. So now I'm wondering - what is a new provider to do?

The Auth provider I'm working on will mostly used across a stack of internal apps for now. So far I quickly got a prototype working using some example OAuth 2.0 provider Rails setups, and custom built an omni-auth connector to access the provider on a client.

So really I guess the question is - do I push through the crap and make it work, and work well? If so, what can I do to secure it correctly? Are there any good sources on securing something like this? If I shouldn't be even trying with OAuth 2.0 what else should I be considering as an option?

Thanks for any suggestions

Jon Phenow
  • 3,974
  • 5
  • 26
  • 30
  • 5
    IMHO OAuth 2.0 is fine. It's at least the best standard we have currently. You should use it at least until something clearly better comes along. – Jason Hall Jul 30 '12 at 02:13
  • 2
    I agree with @JasonHall. OAuth 2.0 is the best web API authorization standard out there. And OAuth 2.0 for authentication (via OpenID Connect) is significantly better than OpenID 2.0 in my opinion. – Ryan Boyd Jul 30 '12 at 22:14
  • 1
    I also agree with @JasonHall. Related blog post: [On the deadness of OAuth 2.0](http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead) – Håvard Geithus Jul 31 '12 at 09:06

1 Answers1

0

I agree also with @Jason Hall. You might want to stick with OAuth2 for now if you want others to easily authenticate/authorize to your service. OAuth2 has it's flaws but for the moment it is the best protocol we have for now.

But if you are really looking for an alternative and don't care if the standard is not finish, only coded in JavaScript (Node.js) and that not to many people know about it you could go with OZ a new protocol develop by Eran Hammer.

Here is a link to the GitHub: https://github.com/hueniverse/oz

jnbdz
  • 4,863
  • 9
  • 51
  • 93