OAuth vs. The End User

I just submitted a patch to fix Jaiku's OAuth implementation for accessing web applications. 99% of the code was there so submitting the patch appears to have been a simple task. Hopefully it gets merged into the trunk soon so I can keep working on my integration with ScreamIt!

OAuth has certain advantages over other public authentication schemes.

1. Never gives requesting sites your password.
2. Revoking a token for an application means not having to change your passwords all over the Internet.
3. Token is passed as a url parameter > no firewall concerns
   

The detriments of the scheme, in my opinion, are passed onto the user. If not implemented correctly it can cause massive confusion. Even implemented as intended it has the potential to still confuse some users. Here's a typical authentication request work flow:

1. Click a link that navigates away from site A to authenticating site B.
2. Log into site B.
3. Authorize site A to use data from site B.
4. Site B redirects back to site A...hopefully (kicks Jaiku).

If setup properly it can be pretty seamless and it only needs to be done one time. Unless site B decides to expire the access token.

What I really struggle with is the end users reaction. I had a conversation today about doors that have handles on them but still require you to push for entry. Even though there is a sign on the door that says push, I still see the handle and pull every time. Is this process too confusing and drawn out? Users are used to filling out forms and clicking next -> next -> done to complete tasks. If I have to put up descriptive text to help the user through the authentication process I've failed.

Facebook has done a good job of implementing a similar closed authentication scheme. I've been very surprised by the amount of social sites that use it. Twitter is reportedly going to introduce OAuth support soon too. I'm hoping wide spread adoption will lower the learning curve and better OAuth workflow design will follow.