8
olback
11d

Oauth is unnecessarily complicated. No wonder so many implementations are vulnerable...

Comments
  • 1
    If you want simple, use session, if you want something robust, use OAuth2.

    JWT has a lot of cons, and therefore very limited use case. Not fun to change authentication system after app is complete and running.
  • 3
    @lamka02sk why not use jwt? I think it's pretty secure
  • 2
    @frogstair Security is not the problem. The problem is access management. The problem is that it is just too basic. For example: Want to log out specific user? There is no way

    // I am not saying that it sucks, but for any project larger than small use somthing else.
  • 2
    @lamka02sk That depends on the JWT payload.
  • 1
    @lamka02sk i mean can't you just add custom claims to add validation and store the token with the user? I think that's the way it was meant to be implemented. This also allows the user to log out by invalidating their token
  • 0
    i can't speak for oauth, but oauth2 is great. it seems complicated when you first see it, but then you realize it's still the minimum complexity to get the job done
  • 0
    @calmyourtities The whole redirect thing is so retarded. I don't have a server, just a client. What do I do? Make my own server just to be able to use an API that requires Oauth2?
  • 1
    @olback what do you mean you don't have a server? like you're implementing it for an app? in that case i'd register a domain and have a web view in the app for the user to sign in with. the user would finish the sign in process, and the webview would redirect to mydomain.com/callback?token=xyz.
    you can listen for the url of the webview to change to the callback url, and then extract the token from there.
    i agree it's designed for websites and should be improved for non-website applications.

    also, it'd probably be better to open the web browser and register your app to handle mydomain.com urls, but that's harder.
  • 1
    @calmyourtities yeah, I'm making a native desktop app and using an Oauth2 api. So hard without a server and/or WebView.
  • 1
    @olback
    What are you doing with OAuth on a desktop app that's not connecting to APIs?
  • 0
    @SortOfTested GTK based Twitch player.
  • 2
    @olback make the callback open your app if possible (with xdg-open for linux if that's possible) i think that's the only way.
Add Comment