I think GNAP is easier to use than OAuth 2.0, with best practices as defaults and clearly articulated uses cases, without having to reference oodles of additional OAuth 2.0 extensions.
OAuth 2.0 requires all clients to be registered at the AS and to use a client_id known to the AS as part of the protocol. This client_id is generally assumed to be assigned by a trusted authority during a registration process
One of the unexpected (to me at least) consequences of OAuth was how it facilitated walled gardens, where a service (like Twitter) can police what apps are allowed to connect to its API and what they’re allowed to do with it.
From the above, it sounds like GNAP doesnt have that issue…?
I would note that OAuth 2.0 does have something equivalent in theory in the optional and rarely supported OAuth 2.0 Dynamic Client Registration Protocol, but GNAP streamlines this process.
I think it was only unexpected to people like you and me. I suspect with hindsight (and by seeing similar things play out with Passkeys) that it was understood by Big Tech Co’s.
It looks like this one has been brewing for a LONG time - these two example repos (linked from the bottom of https://oauth.xyz/) were both were last committed to 4-5 years ago:
GNAP has been considered the successor to OAuth 2.0 and became RFC 9635 yesterday.
More about it at https://oauth.xyz/
I think GNAP is easier to use than OAuth 2.0, with best practices as defaults and clearly articulated uses cases, without having to reference oodles of additional OAuth 2.0 extensions.
This, in Appendix A, caught my eye:
One of the unexpected (to me at least) consequences of OAuth was how it facilitated walled gardens, where a service (like Twitter) can police what apps are allowed to connect to its API and what they’re allowed to do with it.
From the above, it sounds like GNAP doesnt have that issue…?
Yes, instead of the client having to be pre-registered, it tells the AS about itself in the beginning of the protocol.
I would note that OAuth 2.0 does have something equivalent in theory in the optional and rarely supported OAuth 2.0 Dynamic Client Registration Protocol, but GNAP streamlines this process.
I think it was only unexpected to people like you and me. I suspect with hindsight (and by seeing similar things play out with Passkeys) that it was understood by Big Tech Co’s.
It looks like this one has been brewing for a LONG time - these two example repos (linked from the bottom of https://oauth.xyz/) were both were last committed to 4-5 years ago:
What’s the best intro to GNAP?