Ironically, right around the time I'm working on an Authentication Provider, articles like this start popping up. So now I'm wondering - what is a new provider to do?
The Auth provider I'm working on will mostly used across a stack of internal apps for now. So far I quickly got a prototype working using some example OAuth 2.0 provider Rails setups, and custom built an omni-auth connector to access the provider on a client.
So really I guess the question is - do I push through the crap and make it work, and work well? If so, what can I do to secure it correctly? Are there any good sources on securing something like this? If I shouldn't be even trying with OAuth 2.0 what else should I be considering as an option?
Thanks for any suggestions
I agree also with @Jason Hall. You might want to stick with OAuth2 for now if you want others to easily authenticate/authorize to your service. OAuth2 has it's flaws but for the moment it is the best protocol we have for now.
But if you are really looking for an alternative and don't care if the standard is not finish, only coded in JavaScript (Node.js) and that not to many people know about it you could go with OZ a new protocol develop by Eran Hammer.
Here is a link to the GitHub: https://github.com/hueniverse/oz