Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Root825558yOAuth2 is crap.
It's seriously much less secure than OAuth1 -- look at the design and flows yourself. -
OAuth is for authorization and everything else you have listed there are authentication methods.
-
ChappIO46978y@kingspp authentication is identifying users. Authorization is providing (or declining) access to resources to that user.
-
Root825558y@ChappIO
OAuth1 is a protocol. It's vey straightforward, add every implementation will look basically the same. OAuth2 isn't -- it's basically a framework, and so implementations will vary wildly, and will very likely be incompatible. This is less about security (though still a concern because of its complexity) and more about mess.
However, in OAuth2, tokens aren't bound to clients, and they cannot be revoked (only expired). It's a service granting consumers authorization to use portions of your app on its behalf. And, so king add the token isn't expired, it will allow access. So be very careful with expiry timers.
As for the difference:
Authentication asserts a user's identity. Authorization allows a client access to certain actions. Typically (But not always) authenticating in the process.
OAuth2 is not designed to fulfill the authentication usecase, and acquiring an access token from an OAuth2 provider does not mean the user has been authenticated. -
ChappIO46978y@Ashkin okay, I will continue to use auth2 authorization on my services. I value opinions but this one does not seem well constructed.
-
Root825558y@ChappIO
An example:
OAuth2 will happily grant a user an access token for a public role (e.g. public pages, APIs, etc.), but this conveys absolutely nothing about the identity of the user -- only what they are allowed to access. Assuming this public access token marks a user as authenticated leads to severe security holes.
Also, the provider is very often a different service, which can open further security holes, especially when used by third party sites, etc. -
Root825558y@Ashkin damnable 5 minute edit window
Typing on a phone with a baby is extremely difficult ☹ -
Root825558y@ChappIO much of this is straight from the original project lead (Eran Hammer).
Don't take my word for it. Do your due diligence. -
Dacexi120368yI actually know a website where they did the bottom one, but to be safe they had the passwords and usernames in a js file named something like: f8rn3jifnrifmea.js so that "you couldn't find it"😞
Summs up my classmates
undefined