It’s ironic that the day that my post on integrating Twitter OAuth (and other third-party authentication) appeared that a vulnerability in OAuth would be identified.
I didn’t write about the potential hassle that site owners will endure when third-party services become unavailable due to bugs or other problems, but it’s a huge consideration for web developers.
If your site is integrated with any other third-party site for any reason, the performance, stability and reliability of the third-party service is your problem to manage. Your site users will not care that your site is down because OAuth is broken or AWS has an outage or whatever the case may be. They will only know that your site is broken.
Mitigation
The problem is that you can’t build and maintain everything — and you really can’t jettison third-party integrations generally. You can, however, mitigate against failures by developing graceful failover options. Build failover solutions based on the importance of the third-party service. If your entire registration and login solution is dependent on OAuth, your best bet is to include some type of “We’re sorry, but registration and login are temporarily disabled” messaging. This isn’t a perfect solution, but it’s better than “Error 8000EAF0: Cannot connect garbage garbage garbage” or a blank screen.
In many cases, third-party integrations augment your site, but aren’t necessarily a requirement for using your site. Make sure in those cases (particularly for things such as widgets, ads, analytics, etc.) that if a component fails your site design and usability don’t collapse.
Remember that the web is still very young and that everyone — the big services included — are still learning how to make this all work together. The best bet for now is to build your system to be as flexible as possible because the frameworks are still shifting.
Update: I wrote this article last night (Wednesday), but I typically publish mid-morning. Since I wrote this article, tinyurl.com has experienced an outage.
Comments:
{ 1 trackback }
Comments on this entry are closed.