OAuth 2.0: Enterprise vs. Web

Sobering post from Eran Hammer, previously of the OAuth 2.0 standards group:

Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification , and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing.

The main rift he describes is the fundamental divide between the web community & the enterprise communities. This is nothing new. It’s always been top down, prescribed solutions vs. bottom up, evolutionary solutions. See WS-*/SOAP vs. REST, RDF(a) vs. Microformats, XML/XSD/XSL vs. JSON, etc…

The enterprise wants revenue potential for services & tools, while minimizing new costs, maximizing existing infrastructure & mitigating perceived risks.

Web communities want shit that works, isn’t complex & doesn’t require expensive tools or services.

Cats & Dogs. Hatfields & McCoys.

The surprise here isn’t that Eran is leaving & OAuth 2.0 is a mess. It’s that anyone though the two groups could co-exist in the first place.