The author doesn’t even (AFAICT) go into the most evil aspect of OAuth— that it acts as a gatekeeper that allows service providers to police what client programs are allowed to connect to the service. It isn’t just authenticating the user, it’s authenticating the client developer. This allows services like Twitter and Facebook to become walled gardens while still claiming to offer open APIs.
Before OAuth, if a service has a published (or reversed) API, you can write a 3rd party client for it and the user can choose to use your client. After OAuth, the user can only choose a client that has been approved by the service provider. If the client does something the provider doesn’t like, such as blocking ads, they just withdraw their approval and kill it.
But there’s an even darker aspect to this requirement that is perhaps not immediately apparent: what happens if a site declines to accept your registration, or revokes your registration at a later time? Suddenly, a corporation (because the large players are all corporations) has control over whether or not your program is useful to your users
David has since posted an update saying that having implemented Gmail OAUTH support, he then found that getting his application approved by Google would cost “$10,000 -$75,000” annually for mandatory security assessments.
Understandably, he is not able or willing to do this.
Interestingly, people on The Orange Site seem to claim that there’s a phrasing there that would make the payment (and assessments) not apply to typical desktop clients (software not working on or using other servers). Did David miss it, or are the people there missing something, or is Google just overall to vague to be sure what they mean?
The author doesn’t even (AFAICT) go into the most evil aspect of OAuth— that it acts as a gatekeeper that allows service providers to police what client programs are allowed to connect to the service. It isn’t just authenticating the user, it’s authenticating the client developer. This allows services like Twitter and Facebook to become walled gardens while still claiming to offer open APIs.
Before OAuth, if a service has a published (or reversed) API, you can write a 3rd party client for it and the user can choose to use your client. After OAuth, the user can only choose a client that has been approved by the service provider. If the client does something the provider doesn’t like, such as blocking ads, they just withdraw their approval and kill it.
Hm; isn’t the “Issue 2” in the article all about exactly this?
…yes, it states that point very clearly.
There’s also the whole “Publish App” part at the bottom.
Oops, missed that, sorry.
David has since posted an update saying that having implemented Gmail OAUTH support, he then found that getting his application approved by Google would cost “$10,000 -$75,000” annually for mandatory security assessments.
Understandably, he is not able or willing to do this.
Not related to OAuth, but today Google also managed to kill off the excellent Android email app FairEmail.
Its developer, Marcel, has given up trying to get new versions of the app through the Play Store’s approval process.
Yes, this bit confused me totally. If I want to make an alternative Gmail client, I would have to pay for the pleasure?
Interestingly, people on The Orange Site seem to claim that there’s a phrasing there that would make the payment (and assessments) not apply to typical desktop clients (software not working on or using other servers). Did David miss it, or are the people there missing something, or is Google just overall to vague to be sure what they mean?
“security assessments” = Google employee clicking the “scan application” button on web UI