Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard.
At the end, I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad.
Terribly sad. I worked on an implementation of the 1.0 version of the protocol and, while it had issues, it was (and still is) pretty useful. I stopped paying too much attention after the OAuth Summit, when it became clear that 2.0 and the IETF process was where OAuth was headed.
Eran should be commended for his hard work on the project, and I’m very sorry to hear that it came to this conclusion.