webdev

1 thought
last posted Nov. 1, 2014, 4:34 p.m.
0

Why Google's Oauth2 implementation is poor

When comparing oauth2 providers I find that Google, while being the most compliant has the absolute worst working examples of their code. Everytime I see example code from google I get the mental image picture of a 24 year old developer who claims "its works!" while not even considering how someone who has never used the technology they are proposing may interpret their completely uncommented code base.

https://developers.google.com/accounts/docs/OAuth2WebServer

and

https://code.google.com/p/google-api-python-client/source/browse/#hg%2Fsamples%2Fdjango_sample

This framework obscure the oauth process from the developer, so you are completely dependent on the code same being simple to understand to get the implementation working. Secondly creating the oauth app is buried deep in google's "API Dashboard"

Compare this to oauth2 providers that actually give you the curl approaches directly, and allow you to compare it to their API. The oauth implementation is not hidden, and you can easily figure out what needs to be done.

Paypal

https://developer.paypal.com/docs/api/#authorizations

Github

https://developer.github.com/v3/oauth/

Coinbase

https://www.coinbase.com/docs/api/authentication

Here are my recommendations to oauth providers: Make the entire three legged process easy to natively implement Build auth apis that are simple extensions of that flow Make sure that the client api can access enough user information to create a user record on the target app without asking for more information. Make it easy for developer to create client app secrets and manage multiple environments.