It's no coincidence that a substantially revised draft of OAuth Token Exchange was published during this holiday season, and that I wrote the first words of this post on December 23 (the day of Festivus, a holiday that inspired the title). Of course, it'll take a small army several days to correct all my spelling and grammar mistakes, so I don't expect this to be published until the end of 2015.
Okay, fine...it's just a coincidence. But Festivus gives me a convenient backdrop against which to write about the new IETF draft. Let's compare the aspects of Festivus to OAuth Token Exchange.
The Festivus Pole
A plain looking metal pole that's void of branches and decorations, the Festivus pole is a relatively inexpensive but quintessential symbol of an anti-consumerist holiday. Like this unadorned aluminum pole, OAuth Token Exchange is modest and void of unnecessary layers and confusing options, aspiring to be a symbol of anti-complexity in standards. Building on the normal interaction with the token endpoint, a token exchange request is a simple HTTP POST with form-encoded parameters, and the response is a familiar and easily parsed bit of JSON.
The traditional celebratory dinner at Festivus is meatloaf on a bed of lettuce--not exactly a universal dish for every palate. On the other hand, OAuth Token Exchange is much less prescriptive about what gets served. There are some new JWT claims defined that allow for delegation semantics to be expressed, but the core exchange protocol is token-type agnostic and can be used with all kind of tokens. You could say that this menu has more options.
The Airing of Grievances
Central to the celebration of Festivus, the Airing of Grievances takes place immediately after dinner has been served. It consists of each person lashing out at others and the world about how they have been disappointed in the past year. So, what does this have to do with OAuth Token Exchange? I'll explain.
Some years ago, I was part of the engineering team that added WS-Trust support to PingFederate. It's tremendously useful and flexible, but let's just say it doesn't rank among my favorite specifications. I still bear the scars from the experience. Let's just say that I'm airing my past grievances about WS-Trust.
Feats of Strength
In the Festivus celebration, tradition states that the head of the household selects one person at and challenges them to a wrestling match. Festivus is not over until the head of the household is pinned.
Similarly, there's been some wrestling over the technical approach to Token Exchange over the past year. Standards work isn't over until dissenters are pinned (or compromises are reached, at least). It's much less dramatic than pinning the head of a household, but challenging nonetheless.
It's a Festivus Miracle!
The revised IETF draft finally unifies several previously competing approaches to OAuth Token Exchange, and it appears to have generally broad support moving forward. Standards work is inevitably slow and subject to bumps in the road, but I'm cautiously optimistic about this work proceeding relatively quickly and without significant changes.