Archive for February, 2011

February 25, 2011
OAuth 2.0 Bearer Token Specification draft -03

OAuth logoI’ve published draft 03 of the OAuth Bearer Token Specification. It contains one breaking change relative to draft 02 that was voted on by the working group: changing the “OAuth2″ OAuth access token type name to “Bearer”. The full set of changes in this draft is:

  • Restored the WWW-Authenticate response header functionality deleted from the framework specification in draft 12 based upon the specification text from draft 11.
  • Augmented the OAuth Parameters registry by adding two additional parameter usage locations: “resource request” and “resource response”.
  • Registered the “oauth_token” OAuth parameter with usage location “resource request”.
  • Registered the “error” OAuth parameter.
  • Created the OAuth Error registry and registered errors.
  • Changed the “OAuth2″ OAuth access token type name to “Bearer”.

The draft is available at these locations:

Your feedback is solicited.

February 15, 2011
Personal Reflections on the CardSpace Journey

CardSpace IconToday, Microsoft announced that it will not be shipping Windows CardSpace 2.0. Having made a significant personal investment in working to make CardSpace a success and the Information Card vision a reality, I wanted to take the opportunity to share a few personal reflections on the CardSpace journey and the lessons we might want to take away from it.

I’ll start by saying how much I appreciate getting to work with the amazing and diverse set of people that came together around the Information Card idea. I’m still amazed when I look at the sets of participants at the interop events in Barcelona in 2007 and San Francisco in 2008. That many people and organizations don’t come together to work on something together unless they see something valuable there. OSIS (originally an acronym for “Open Source Identity Selector”), the Information Card Foundation, the OASIS IMI TC, and labors of love like the Pamela Project, XMLDAP, the Higgins Project, the Bandit Project, and openinfocard are likewise testaments to the compelling nature of the Information Card vision. I’ve loved working on this with all of you!

So with all this support and energy behind Information Cards, why aren’t we on the path to ubiquitous adoption? While there are many reasons, I’ll highlight two, based upon my personal experiences…

  • Not solving an immediate perceived problem: In my extensive experience talking with potential adopters, while many/most thought that CardSpace was a good idea, because they didn’t see it solving a top-5 pain point that they were facing at that moment or providing immediate compelling value, they never actually allocated resources to do the adoption at their site.
  • Not drop-dead simple to use: Users were often confused by their first encounter with CardSpace; many didn’t succeed at the task at hand. Indeed, many saw it as something complicated getting in the way of what they were actually there to do.

While are plenty of other reasons that were contributing factors, such as requiring a client that wasn’t ubiquitously available and not having server software available to go with the client, I firmly believe that if people thought that CardSpace would provide immediate compelling value and that it was easy to use, that Information Cards would now be an everyday part of the Internet. Not having achieved those things, we are where we are today.

Not that this is the end of the line by any means. I believe there’s still tremendous value in the principles behind The Laws of Identity, the vision of user empowerment we all called user-centric identity, and the benefits of verified claims; the Internet is still missing an identity layer. Part of the great news for me personally is that I’m getting to continue working on making these things a reality with many of you who believed in the vision behind CardSpace and what it was trying to achieve.

As we go forward, hopefully the lessons learned from the CardSpace journey will help us succeed in ways that Windows CardSpace itself never did.