Posts tagged as coders
Text
OMFGAuth
TL;DR: Stop thinking of OAuth as the only way to secure APIs. Its not as widely adopted, nor as standardized, as you think. Do what’s best for your needs and your scenario, and quit worrying about OAuth compliance.
In my “Painless OAuth” talk yesterday at Web 2.0 Expo, I declared my opinion that it’s time to step back from the OAuth specification and consider if it’s really what’s needed for delegated authentication.
That’s right. I said it’s time to sunset OAuth.
While I was at Mashery, I argued for OAuth support within the Mashery service. Mashery still offers, and will likely continue to offer, an OAuth Accelerator option to its managment services. I got on the bandwagon in late 2007, and Mashery’s first OAuth-assisted customer went into production in mid-2008.
The promise of a simple, standard way to provide secure delegated access is fantastic. It’s universally felt that Digest Authentication doesn’t meet all the necessary use cases, and is overly complex. OAuth sought to be more accessible.
In my estimation, the OAuth mission has failed. We’re roughly four years into it, and there’s a tremendous amount of confusion among developers about what version of OAuth to use, who’s using what version, what libraries support what API providers, who’s running OAuth or simply something OAuth-like … and that doesn’t even get into debugging the often-difficult implementation challenges.
Today there are many OAuth-like services, such as Twitter’s xauth and OAuth Echo authorization paths, which I think of as “OAuth adjascent.” Then you’ve got Facebook’s nearly-OAuth 2.0 implementation, which makes up its own rules for the Desktop App flow.
There are certainly examples of strict OAuth spec adherance out there, but if the two largest organizations using OAuth or OAuth-adjascent approaches have chosen to deviate from the OAuth standard, are those specs really getting the job done? Nearly every conversation I have these days with developers or providers about OAuth includes a lot of eye-rolling, cursing, and assorted other expressions of frustration, including mentions of flavors, dialects and variants of OAuth. In other words, there is no standard in the real world.
One thing that’s important to consider is the set of problems OAuth set out to solve. (Eran & Chris, if you’re reading, let me know if I’m leaving something out.)
- SSL is too expensive. (From computational and financial perspectives.)
- HTTP Basic is too simple and insecure, and HTTP Digest is too complex.
- It would be great to standardize the kinds of authorization delegation that Flickr allowed. (Everyone wanted a way for users to grant permissions to applications or APIs without having to share their actual usernames/passwords with untrusted parties.) This has come to be known colloquially as the Three-Legged Scenario.
… and back in 2007, that was more or less it. The big deal around standardization was that developers wanting to integrate with services like Flickr or others had to spend a lot of time learning the details of a particular service’s custom security requirements and write new code to handle the same kinds of problems. So, code reuse through libraries has been a desired benefit of the standardization goal.
Now, in the post-FireSheep era, SSL is no longer considered to be that expensive, cost-wise or computation-wise (it’s not even considered “optional” anymore for a lot of things). SSL has gotten less expensive, and computing resources have become truly elastic. (Remember: in early 2007, Amazon EC2 still only offered one size of instance — what is today known as “small”).
We also have no reliable standard, so OAuth libraries are fragemented. Does your library support xauth? Or OAuth WRAP? Or OAuth 2.0? Ok, which draft of OAuth 2.0? … and so on.
Something we’ve seen at Mashery is that successful API programs are providing client libraries themselves. So, the situation that was common in 2007 — “raw” APIs which required everyone interested in using them to write their own code — has largely evaporated. The API providers that are continually referred to as “the guys to emulate” not only provide officially-supported libraries in multiple popular programming languages, they also nurture and support community-contributed code development. See https://simplegeo.com/tools/ for an example of how this is done.
Finally, I submit that OAuth 2.0 in its entirety is considerably more complex than HTTP Digest.
The world in which OAuth seemed like an absolute necessity no longer exists. Plus, the current state of affairs in the OAuth community says, as Dave Winer said a bit over a year ago “Wait — they’re ripping up the pavement. Don’t deploy.”
Does this mean I think standards are bad? No. Standards are obviously what make this big crazy thing called the Internet work. Without them, we’d be nowhere. However, I DO think that not everything needs a standard.
Can delegated authentication happen without the OAuth standard? Of course it can. There doesn’t need to be a standard — this whole thing could be done with a set of well-vetted Best Practices recommendations. Let API providers build and support libraries for their services, and let the Big Thinkers (who spend so much time thinking I find it hard to believe they’re actually doing any practical building) behind OAuth write up and argue about those Best Practices. See OWASP and SANS for how this has been done.
The path we’re on with OAuth today feels an awful lot like SOAP to me. (WS-* and all that.) Do we as developers and implementers really want to go there?
We’ve all built a couple prototypes for things that we threw away. That doesn’t mean that it was all a wasted effort, or that there’s nothing valuable that can be extracted from those early runs at the problem. I’d love to see what’s been learned from the OAuth experiment distilled into a set of best practices that others can pick from as it suits them.
And finally, I’m well aware that OAuth will be around for a long time. It certainly won’t die off as quickly as OpenID did, simply because it’s gotten better traction. (UPDATE: @joestump pointed out that OpenID isn’t dying as quickly as some think, and that the tech is still widely used. Tweets about this.)
If nothing else, those who are on the fence about implementing OAuth should take comfort in that position. You’re not alone. If Twitter, Amazon, Flickr, and Facebook aren’t using OAuth as specified, should you? It’s okay to consider a different approach than OAuth. Lots of providers do. In fact, one large Mashery customer that’s been using OAuth 1.0 for a long time is not going to use OAuth 1.0 or OAuth 2.0 in the next version of their API. They’re going to use an approach they’re building in-house that suits their set of needs the best, and is easier for developers to implement and understand.
Make no mistake: security is hard. However, it’s not so hard that your only option is to be spoon-fed by the OAuth Working Group. Think for yourself, and more importantly, for your use-case. Then do what’s best for you and your organization.
Here are the slides from my talk, if you’re interested. Especially nice if viewed with Safari, as you get the transitions and stuff. Also, Brooks Grigson took some great notes that might help those looking at the slides.
Text
On Continuous Deployment
My friend Kris Bondi asked this morning:
I’m no continuous deployment expert, but it’s gotten some attention after yesterday’s highlight at an Etsy board meeting.
Companies making the most of continuous deployment were designed to do so from the very early stages. Designing software for continuous deployment means a combination of the following:
- Unit tests. To really achieve the quantity of unit tests needed to call your code “tested,” Test Driven Development or Behavior Driven Development techniques are the easiest paths to get there. (Which isn’t to say adopting TDD or BDD is easy; just saying not following those principles make it much harder to get adequate code coverage.)
- Controlled feature cycle. An engineering team has to get their mind right about pushing code all the time. This is often referred to as “Agile,” but these days the term Agile is abused nearly as often as Cloud, so I avoid the term. The meat is that if a team thinks in terms of big pushes every couple of weeks/months, continuous deployment will never happen.
- Black box tests. Testing the system from the outside is critical. With a testing tool that can perform critical application flows (including JavaScript runtime), a team can make sure that they haven’t broken anything after a code push.
- Instrumentation. Above all, whatever combination of the other points are used, clearly readable team-visible displays of the status of the code base at any one time is the most important. This way it’s easy to gut-check whether the codebase is in a pushable state or not. It’s also easy to see when things break.
It takes a lot of discipline to implement all of the above. It takes even more to make sure that these kinds of processes get put in place early in a company’s life.
There’s been a lot of talk lately about technical debt, and I’m behind some of that. However, getting the above processes in place is not a place to skimp. Technical debt in instrumentation, for example, is foolish because it results in untrustworthy instruments. (See: A Boy Who Cried Wolf)
Why would a company not do continuous deployment? It’s usually not a conscious choice to avoid it, but rather a lack of knowledge of or commitment to the practice of continuous deployment at the point where it’s most critical. Once a set of customers/executives/board members get used to a certain pace of development, it’s hard to put the brakes on to clean up the development and release process. As a result, some companies just never do it. Their releases get less frequent as their feature builds take longer, usually due to a lack of confidence that what they’re doing isn’t going to break something else.
Companies can retrofit their processes to support continuous deployment, but it’s rare. It takes convincing people who are happy with how things are that there’s a better way. In an “if it ain’t broke, don’t fix it” world where everyone is conditioned to tread lightly, no one will eagerly step up to dramatically change the way the world turns.
As Etsy or hundreds of other swiftly-moving, customer-pleasing companies will attest, it’s a change worth making.
Text
The Anticipation of Interruption
As Paul Graham points out in his essay Maker’s Schedule, Manager’s Schedule interruption and context-switching can easily kill the momentum of someone involved in “the work of creating.”
Over the last month, I’ve been working on my new business from home. After all, I’ve successfully worked from home at various times over the last 15 years. A lot of Mashery’s early code was written at my home. Why not do the same again?
The big difference this time around: I’ve got two kids now, a 6 year old and a 4 year old, both boys. (My 4 yr old wasn’t born yet during Mashery’s first 6 months.) They’re super-DUPER excited that Daddy’s home during the day. This has led to my discovery of a new Achille’s Heel for Makers: The Anticipation of Interruption.
I found that even if I tell my boys that I’m working, and the door to my home office is closed, there are some things that are just TOO EXCITING to keep inside, especially if Daddy is right behind that door.
The Anticipation of Interruption is a familiar feeling. As Mashery grew beyond its early days—which involved long days of me coding alone with headphones on—there was an ever-increasing risk of interruption. That just happens as companies grow. If unchecked, companies risk large amounts of wasted time on the clock. (See Jason Fried’s TED talk on “Why Work Doesn’t Happen at Work.”)
I found that even if I had my headphones on—my version of The Nerd Hoodie—I’d often still wind up getting interrupted for something anyway. Anticipation of interruption can prevent makers from getting deep into the details of putting things together.
This is also a problem with co-working spaces and “Startup Hangouts.” I’ve visited several of those over the past month, and ultimately decided that the only difference was that the potential interruption wasn’t going to be coming from my kids.
Kinko’s, with Bose noise-cancelling headphones on top, has no interruptions. I don’t even get up to wander around, because someone might jack my laptop or bluetooth trackpad if I step away. Suddenly the day is carved into chunks of two ass-in-chair hours of focus, a deliberate pack-up-my-shit break, and another two hour stint.
How much work could you get done if you could wall it off like that?
Text
Bullshit Talks, Code Walks?
Salvatore Sanfilippo, author of Redis, posted yesterday that Pull requests are not conversations. It’s an interesting read, and certainly valid for a subset of open source projects.
What Salvatore overlooks is that very few projects reach the popularity that Redis has. The other 98% of projects have mailing lists filled with users complaining about why the code doesn’t do this or that, which creates a lot of noise for happier users, and creates angst for the project maintainers. (Or in most cases, maintainer.)
In fact, Salvatore’s post is in stark contrast to the other popular viewpoint: Pull request or STFU, a sentiment that’s even available as a fine fashion statement.
The reality is that you can’t have it both ways. You either have a backlog of pull requests to sift through and (possibly) engage in communication around, or you have a backlog of potential contributors chattering on your mailing list, most of whom are trying to convince the maintainer to do work they are unwilling or unable to do themselves.
I think most open source maintainers will agree an overload of pull requests is a high-class, edge-case problem. We want more pull requests, please, and less bullshit.
Text
Talk More, Hate Less
If you’re a consumer unhappy with the pricing of a new start-up service, talk to the Real Live Human Beings there before plotting their downfall. They’ll probably listen.
You have better things to do than build half-baked, unsupported open-source competition to new start-up services.
Talking with people running the service will likely yield better results faster than cobbling a reactionary hack together with strangers.
I know it’s a pain in the ass. As a coder (and part-time, only semi-reformed-but-trying hater), it’s much easier to imagine all the ways that you could have done it better than the people who actually did something. It’s way easier to code, start vacant Google Groups, fire up empty Github repositories than it is to engage someone at a for-profit company in reasonable discourse.
Even so, give it a shot. Talk more, hate less.
After all, if talking with the Real Live Human Beings doesn’t work, you can still stick it to them with The Most Popular Open Source Project Evah.
