[Openid-specs-ab] Facebook OAuth extension ruffles feathers, nixes user access permission

Anthony Nadalin tonynad at microsoft.com
Thu Feb 2 18:22:58 UTC 2012

FB will be still standards compliant I bet, but not using an extension that has been through the standards process, BUT using an extension point that is part of the OAUTH V2 standard. Also this article talks about authentication mostly which OAUTH tries very hard to avoid (and leave that to HTTP)and only deal with authorization, so this article is misleading in that sense.

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Thursday, February 02, 2012 10:12 AM
To: Anthony Nadalin
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Facebook OAuth extension ruffles feathers, nixes user access permission

I suppose the article is not talking about OpenID Connect at all but just questioning why they creat yet another way of extending the access token validity time while OAuth 2.0 has a defined way of doing it.

I can sort of understand it. Being not standard compliant to fragment is the market is a valid strategy for the largest player.

=nat via iPhone

On 2012/02/03, at 3:02, Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>> wrote:
What FB does is their business, they have created an extension that serves their own business needs, it's not part of OAUTH (but seems to fit the extension model). Everyone is allowed to create extensions that they feel are needed. I believe that they feel that OpenID Connect is too complicated for them to implement thus they have gone their worn route.

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Mike Jones
Sent: Thursday, February 02, 2012 9:50 AM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Facebook OAuth extension ruffles feathers, nixes user access permission


Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120202/2951baef/attachment-0001.html>

More information about the Openid-specs-ab mailing list