The Case for OAuth 3.0
It’s been about a year since I proposed that we should move past OAuth 2.0, and a lot has happened since then to tackle some of the issues that I raised. I helped lead the TxAuth session at IETF 106 in Singapore last week, and we had a number of side meetings and follow ons from that to discuss the implications. So far, we’re seeing two major approaches: extending OAuth 2.0, and building a new protocol from the ground up. I think there’s room for both in the world, for different reasons.