If there was one perfect way to do third-party auth, we wouldn't need a standard, because all the big companies would be doing it, and the smaller companies would do it.
The problem is, there's a bunch of decisions with auth, which have to be made, but aren't really important. What should the name of the auth token header be? What should be the format of the responses? These decisions are like deciding what side of the road to drive on: it doesn't matter which side of the road you drive on, as long as everyone drives on the same side of the road. The function of a standard is to decide what side of the road everyone drives on.
OAuth isn't a standard. It's just a description of all the various homegrown third-party auth systems that anyone has implemented over HTTP, with only the absolute worst patterns weeded out. None of the shareholders wanted to re-implement their third-party auth, so they just made sure their flavor of auth made it into the standard. It's like if the Europeans and the Americans got together to standardize the side of the road that everyone drives on, and the standard they came up with is "You have two options for which side of the road to drive on, the right or the left."
Until a group of visionaries with enough clout to make the world fall in line creates an actual standard, OAuth is going to continue to be crap. And there's strong disincentive to do that: if you agree to conform to a standard that isn't exactly what you've already implemented, then that means you have to reimplement. A few years' pain conforming everyone to a standard would significantly drive humanity forward--an incomprehensible amount of developer hours have been spent writing custom OAuth integrations, and an actual standard would allow us to write libraries around it that everyone could use. But corporations don't care about pushing humanity forward when it's contrary to their bottom line.
The problem is, there's a bunch of decisions with auth, which have to be made, but aren't really important. What should the name of the auth token header be? What should be the format of the responses? These decisions are like deciding what side of the road to drive on: it doesn't matter which side of the road you drive on, as long as everyone drives on the same side of the road. The function of a standard is to decide what side of the road everyone drives on.
OAuth isn't a standard. It's just a description of all the various homegrown third-party auth systems that anyone has implemented over HTTP, with only the absolute worst patterns weeded out. None of the shareholders wanted to re-implement their third-party auth, so they just made sure their flavor of auth made it into the standard. It's like if the Europeans and the Americans got together to standardize the side of the road that everyone drives on, and the standard they came up with is "You have two options for which side of the road to drive on, the right or the left."
Until a group of visionaries with enough clout to make the world fall in line creates an actual standard, OAuth is going to continue to be crap. And there's strong disincentive to do that: if you agree to conform to a standard that isn't exactly what you've already implemented, then that means you have to reimplement. A few years' pain conforming everyone to a standard would significantly drive humanity forward--an incomprehensible amount of developer hours have been spent writing custom OAuth integrations, and an actual standard would allow us to write libraries around it that everyone could use. But corporations don't care about pushing humanity forward when it's contrary to their bottom line.