> It's all just a sprawling behemoth of a framework, because it tries to do everything.

I also interact with OAuth quite a bit at work. I also have dealt with SAML.

I'd pick OAuth over SAML any day of the week, and not just because OAuth (v2 at least) is 7 years younger.

It's also because OAuth, for all its sprawl, lets you pick and choose different pieces to focus on, and has evolved over time. The overall framework tries to meet everyone's needs, but accomplishes this via different specs/RFCs.

SAML, on the other hand, is an 800 page behemoth spec frozen in time. It tried to be everything to everyone using the tools available at the time (XML, for one). Even though the spec isn't evolving (and the WG is shut down) it's never going to go away--it's too embedded as a solution for so many existing systems.

I also don't know what could replace OAuth. I looked at GNAP but haven't seen anything else comparable to OAuth.