Alternatives to OAuth?

Question

The Web industry is shifting / has shifted towards using OAuth when extending API services to external consumers & developers. There is some elegance in simple....and well, the 3-step OAuth process isn't too bad ... i just find it is the best of a bad bunch of options.

Are there alternatives out there that could be better, and more secure?

The security reference is derived from the following URLs:

• OAuth 2.0 bad for the web?
• OAuth 2 without signatures bad for the web

I've come across this over on the IT Security stack exchange and thought it was poignant from a security point of view:

• OAuth / OpenID / Facebook Connect .. Crazy?

Maybe SAML 2.0 is an alternative?

What about OpenID?

The purpose of this question is from a programming point of view.

Is OAuth the best option that exists today ...?

Do alternatives options exist which allow me to extend my Web Application to consumers that are better from a security point of view, implementation point of view, longevity (wont require rework in a few months), and enabling the support of mobile applications consuming my web application.

Answer 1

Firstly, OAuth is not a login replacement. That's a task solved by OpenID and similar.

OAuth is a temporary data-transfer authorisation protocol. For the kind of task where you want to import your data from websiteA to websiteB, you'd use OAuth. But you'd still login to websiteA using OpenID. However, Google recently announced a protocol that combined the two, so I guess the difference between them is more muddy than before.

An alternative to OAuth would be Facebook Connect. I'm not sure I know of any alternatives to that (perhaps some of the RPC security systems could be suitable for the web)