41
byIcee
3y

Summs up my classmates

Comments
  • 3
    OAuth2 is crap.
    It's seriously much less secure than OAuth1 -- look at the design and flows yourself.
  • 1
    @Ashkin what specifically is the problem then?
  • 7
    OAuth is for authorization and everything else you have listed there are authentication methods.
  • 3
    @Ashkin sorry dude, but if Google trust OAuth2, so do I. #GoogleIsSkynet
  • 2
    @ChappIO @rephiscorth OAuth2 is for authorization, not authentication.
  • 1
    @Ashkin What is the difference?
  • 2
    @Ashkin but what makes it so much less secure according to you?
  • 2
    @kingspp authentication is identifying users. Authorization is providing (or declining) access to resources to that user.
  • 2
    @ChappIO
    OAuth1 is a protocol. It's vey straightforward, add every implementation will look basically the same. OAuth2 isn't -- it's basically a framework, and so implementations will vary wildly, and will very likely be incompatible. This is less about security (though still a concern because of its complexity) and more about mess.

    However, in OAuth2, tokens aren't bound to clients, and they cannot be revoked (only expired). It's a service granting consumers authorization to use portions of your app on its behalf. And, so king add the token isn't expired, it will allow access. So be very careful with expiry timers.

    As for the difference:
    Authentication asserts a user's identity. Authorization allows a client access to certain actions. Typically (But not always) authenticating in the process.

    OAuth2 is not designed to fulfill the authentication usecase, and acquiring an access token from an OAuth2 provider does not mean the user has been authenticated.
  • 1
    @Ashkin okay, I will continue to use auth2 authorization on my services. I value opinions but this one does not seem well constructed.
  • 1
    @ChappIO

    An example:
    OAuth2 will happily grant a user an access token for a public role (e.g. public pages, APIs, etc.), but this conveys absolutely nothing about the identity of the user -- only what they are allowed to access. Assuming this public access token marks a user as authenticated leads to severe security holes.

    Also, the provider is very often a different service, which can open further security holes, especially when used by third party sites, etc.
  • 2
    @Ashkin damnable 5 minute edit window

    Typing on a phone with a baby is extremely difficult ☹
  • 1
    @ChappIO much of this is straight from the original project lead (Eran Hammer).

    Don't take my word for it. Do your due diligence.
  • 2
    I actually know a website where they did the bottom one, but to be safe they had the passwords and usernames in a js file named something like: f8rn3jifnrifmea.js so that "you couldn't find it"😞
Add Comment