The lead author and editor of the OAuth 2.0 network authorization standard has stepped down from his role, withdrawn his name from the specification, and quit the working group, describing the current version of the spec as "the biggest professional disappointment of my career."
Eran Hammer, who helped create the OAuth 1.0 spec, has been editing the evolving 2.0 spec for the last three years. He resigned from his role in June but only went public with his reasons in a blog post on Thursday.
"At the end, I reached the conclusion that OAuth 2.0 is a bad protocol," Hammer writes. "WS-* bad. It is bad enough that I no longer want to be associated with it."
Authorization tokens in OAuth 2.0 are inherently less secure than they were in OAuth 1.0, he says, as a direct result of a series of compromises that were made to address the demands of the enterprise community.
Even worse, Hammer says, the working group has been unable to reach a consensus on a long line of significant issues, resulting in a specification that fails to deliver on even its most basic goals and doesn't achieve anything more than OAuth 1.0 did.
"I honestly don't know what use cases OAuth 2.0 is trying to solve any more," Hammer says.