The GET /users endpoint will return a page of the first 13 users by default.

To request other pages, add |-separated querystring with the limit and offset, as roman numerals enclosed in double quotation marks. Response status is always equal to 200, plus the total count of the resource, or zero when there's an error.

You can include an array of friends of the user in the result by setting the request header "friends" to the base64-encoded value of the single white pixel png.

Other metadata is not included by default in responses, but can be requested by appending ?meta.json to any endpoint, which will return an xml response.

If you want to update the user's profile picture, you can request an OAuth token per fax machine, followed by a pigeon POST capsule containing a filename and a rolled up Polaroid picture. The status code attached to the return postal dove will be the decimal ASCII code for a happy smiley on success, and a sad smiley if any field fails form validation.

-- Every single external REST API I've ever worked with.

Dear Google OAuth,

you might hate me since i spammed you the whole day with access token requests.
But this is all your fault. Because you never gave me ONE SINGLE SHITTY TOKEN!!
WHAT THE FUCK IS THIS "BAD REQUEST" ERROR MESSAGE?!

You're a rich as shit company with thousand and thousands of employees.
OAuth is one of your essentials cause it handles the access to all your services.
So why the hell i cannot get some smart errormessage to debug my shit.

You are like my gf, when she is mad at me and does not tell me why. But even she is a lot easier to debug!

Just found out the backend developer I’m always complaining about. The one who:

- Can’t implement OAuth, and we have to have app users login every 24 hours because we have no way to generate new refresh tokens.

- Who used the phrase “your time zone is not my concern” to avoid building something that would let us inject test data.

- Who’s been debugging a critical bug affecting many users since December.

- Who can’t conduct API tests from external internet (you know, like the way the app will be in the wild) because it takes too much time.

- Who replies to Jira tickets only on a blue moon.

- Who has been 90% of the reason for my blood pressure situation

... is a fucking principal engineer in this company. In pecking order, his opinion should be considered more valuable than mine and everyone on my team.

I’ve just lost the will to live. How are big organizations THIS bad. Seriously, what promotion discussion did he go into

“So, you are a complete and utter bastard, nobody can stand to speak to you and you’ve yet to deliver anything of worth that actually works, over the course of several years ... ... ... interested in having your pay doubled??”

Me: *Installs travis*

Dev: oh what's travis?

Me: it's a continuous integration tool I wanna setup.

Dev: ... contin.... ?

Me: continuous integration, a tool that performs builds.

Dev: ah!, is it the new version of that deprecated tool we were using "client access"?

Me: ... no ... that's an authentication service that generates and stores oauth tokens. This is the continuous integration tool I told you about yesterday (and last week and the week before).

Dev: ... contin....

Me: ... con ........ continuous integration. It listens to branches on GitHub, downloads, builds, tests and then deploys the code.

Dev: ah ok ok, cool.

I would bet my monthly fucking salary he can not repeat what I said, tell me what oauth is, or explain what he's working on at the minute.

Jesus at this rate I'd bet my salary he can't tell me my name.

First rant, please take pity on the noob! 😐

Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫

Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...

... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.

So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.

Makes you consider the amount of control these big companies have over your life 😶

Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
*Hungs up*

I previously ranted about oauth being unapproachable and incomprehensible. Well, here’s the diagram that allowed me to finally understand it.

When you read oath as oauth, it's time to take some break 😨

UX bought to you by the glue sniffers of Microsoft's oAuth console for your webapp. "I tried to SAVE, but accidentally nuked my account instead" oops!

Made a simple college project using Node.Js, MongoDB, React... Wrote everything from scratch, starting from HTML to CSS and Routes even OAuth. No template was used.. Guess what teacher said...

She said I love the second project made using wordpress template because, "It looks amazing and beautiful"

One of the reasons why I hate college...

I have been strongly considering writing a small fb app today named something along the lines of "Hack your fb friends - for realz". Then add basic oauth (You have to login to pick the friend to hack duh), retrieve their friends list and then publicly post to their own timeline and the friends they chose humorously stating they attempted to hack the persons account "for realz". You know just enough to alert people that the "hacker" is a idiot with bad intentions but with just humour enough to fall under "satire" so fb doesn't remove it.

If your bored please feel free steal and implement my idea, it's hereby open sourced and I will even fund this shit on kickstarter 😂

!!oracle

I'm trying to install a minecraft modpack to play with a friend, and I'm super psyced about it. According to the modpack instructions, the first step is to download the java8 jre. Not sure if I actually need it or not, but it can download while I'm doing everything else, so I dutifully go to the download page and find the appropriate version. The download link does point to the file, but redirects to a login page instead. Apparently I need an oracle account to download anything on their site. stupid.

So I make an account. It requires my life story, or at least full name and address and phone number. stupid. So my name is now "fuck off" and I live in Hell, Michigan. My email is also "gofuckyourself" because I'm feeling spiteful. Also, for some reason every character takes about 3/4ths of a second to type, so it's very slow going. Passwords also cannot contain spaces, which makes me think they're doing some stupid "security" shenanigans like custom reversible encryption with some 5th grade math. or they're just stupid. Whatever, I make the stupid account.

Afterwards, I try to log in, but apparently my browser-saved credentials are wrong? I try a few more times, try enabling all of the javascripts, etc. No beans. Okay, maybe I can't use it until I verify the email? That actually makes some sense. Fine, I go check the throwaway inbox. No verification email. It's been like five minutes, but it's oracle so they probably just failed at it like everything else, so I try to have them resend the email. I find the resend link, and try it. Every time I enter my email address, though, it either gives me a validation error or a server error. I try a few mores times, and give up. I try to log in again; no dice. Giving up, I go do something else for awhile.

On a whim later, I check for the verification email again. Apparently it just takes bloody forever, but it did show up. Except instead of the first name "Fuck" I entered, I'm now "Andrew", apparently. okay.... whatever. I click the verify button anyway, and to my surprise it actually works, and says that I'm now allowed to use my account. Yay!

So, I go back to the login page (from the download link) and enter my credentials. A new error appears! I cannot use redirects, apparently, and "must type in the page address I want to visit manually." huh? okay, i go to the page directly, and see the same bloody error because of course i do because oracle fucking sucks. So I close the page, go back to the download list, click the link, wait for the login page redirect (which is so totally not allowed, apparently, except it works and manual navigation does not. yay backwards!), and try to log in.

Instead of being presented with an error because of the redirect, it lets me (try to) log in. But despite using prefilled creds (and also copy/pasting), it tells me they're invalid. I open a new tab container, clear the cache (just to be thorough), and repeat the above steps. This time it redirects me to a single signon server page (their concept of oauth), and presents me with a system error telling me to contact "the Administrator." -.- Any second attempts, refreshes, etc. just display the same error.

Further attempts to log in from the download page fail with the same invalid credentials error as before.

Fucking oracle and their reverse Midas touch.

So, a few months ago I agreed to rewrite a previous employer's OAuth app -- paid work, ofc, if below my usual rate. It's a rewrite because the project is so deprecated and fragile that upgrading it is likely much more difficult.

however, I drastically overestimated how much free time I would have. I thought I could shave off an hour a day to spend on it, and get the project done in a few weeks. However, it turns out I barely have twenty minutes a day to myself, and it's only after I'm mentally exhausted from the day's efforts.

I don't think I'm capable of completing the project given the demands on my time -- even if it's relatively straightforward to do.

I don't want to tell them no, especially after waiting on me for this. but I don't think I have a choice.

I feel terrible.

If your site asks me to log in and doesn't implement OAuth with Google or at the very least Facebook then go fuck yourself.
I have enough usernames and passwords in my head, I don't want more.

I fucking hate my boss so much

He looks down on me like I’m some idiot who doesn’t know his shit.
The other day he was trying to explain OAuth2.0 to me in the most dumbed down way ever, even after telling him I do already know how OAuth 2.0 works. He just said “oh well just making sure” and continued explaining it to me the exact same way. Felt shitty having something explained to you which you already know in such a way in front of all of your coworkers

Whenever I give my thoughts on something he answers with an argument that’s essentially true but pretty stupid:

B: “We don’t need to bundle our JS files” (see my other rant)
M: “Our load time is around 15 seconds though and it takes forever to update our script tags”
B: “Yes but it’s only 15 seconds once and the tags are already there so it’s fine”

How do you reply to something like that??

On top of that, his code is absolutely awful, always looks hacked together, lacks documentation and i don’t think he has written a unit test in his life

I don’t even like frontend, was told I would mostly do backend and it seems like all I’m doing recently is write fucking javascript because even if I wanted to write backend code, it’s nearly impossible to write clean code in this pile of horseshit codebase

When you're a hardcore web developer, the only 'action' you .get() is when you're writing a login form scraper for your three-legged oauth flow in Python

Facebook API...

Facebooks "graph" or API's in general fucking stink donkey dick.

Their implementation of oAuth is horrible.. 3 different tokens, which can be either short or long lived, for fetching a facebook page feed (the clients own facebook page)
To that you add a clientID and a ClientSecret.

Great... after painstakingly reading confusing documentation and itching your head... You get it to work.

Then they, without notice, makes a breaking change of deprecate an endpoint you were using.. Jesus..

And all the support you can get comes from a "community group" which may or may not reply with a generic link to their documentation...

Trying to add Google oauth to an old app on a client's request. God I hate past me.

I get very annoyed by sites that ask for too many privileges. If I want to comment on some post why would I give write access to all my source code repositories?

Currently working on my first real REST api and I've arrived at the authentication part.

I'm not sure how to do this one, the client will have to login using username/password but then, what's the most conventional way of authentication logged in users through a REST api? (no oauth (yet))

This should be usable for anything like ajax requests to calls from the backend to curl requests.

Looking forward to ideas!

How many times will you say hi to me when we're passing on the stairs for nth time? How many 👋 will you send me in one day at almost regular intervals? I'm not a fucking rest api. You don't have to generate a fucking oauth token every time you pass me some information. I have a fucking state and it's getting distracted by too much human interaction

Things are fun until you have to implement authing.😔

Hey guys! I need help!
I started to write a blog about the stuff I currently investigating: How to combine React, Oauth and Node.js.🤯
However, my penmanship isn’t that good.
So I’m looking for some nice stock images for good meme and funny pictures to support my writing.
Does Anybody know where I could download a nice bundle instead of google them one by one?🤔

Dev.to app asks me to type in my github username and password into the github login page opened in their app. Is there no better way to do OAuth on Android apps?

I've been using the Square REST API and I spent one hour thinking there was something wrong in my code until I f** found that THEY were not following OAuth 2 guidelines, which made their workflow incompatible with the OAuth lib I was using, so I had to mark an exception for Square's OAuth from the rest of my OAuths. Specifically, RFC 6749 Section 4.2.2 and 5.1.

However, after reading OAuth 2 guidelines, I became angry at THEM instead. The parameter `expires_in` should be the "lifetime in seconds" after the response. This will always be innevitably inaccurate, since we are not taking into account the latency of the response. This is, however, not a huge problem, since the shortest token lifetimes are of an hour (like f** Microsoft Active Directory, who my cron jobs have to check every ten minutes for new access tokens). Many workflows (like Microsoft, Square, and Python's oauthlib) have opted to add the `expires_at` parameter to be more precise, which marks the time in UTC. However, there's no convention about this. oauthlib and Microsoft send the time in Unix seconds, but Square does this in ISO 8601. At this point, ISO 8601 is less ambigious. Sending a raw integer seems ambiguous. For example, JavaScript interprets integer time as Unix _milliseconds_, but Python's time library interprets it as _seconds_. It's just a matter of convention, a convention that is not there yet.

Hope this all gets solved in OAuth 2.1 pleeeaasseee

That's it, where do I send the bill, to Microsoft? Orange highlight in image is my own. As in ownly way to see that something wasn't right. Oh but - Wait, I am on Linux, so I guess I will assume that I need to be on internet explorer to use anything on microsoft.com - is that on the site somewhere maybe? Cause it looks like hell when rendered from Chrome on Ubuntu. Yes I use Ubuntu while developing, eat it haters. FUCK.

This is ridiculous - I actually WANT to use Bing Web Search API. I actually TRIED giving up my email address and phone number to MS. If you fail the I'm not a robot, or if you pass it, who knows, it disappears and says something about being human. I'm human. Give me free API Key. Or shit, I'll pay. Client wants to use Bing so I am using BING GODDAMN YOU.

Why am I so mad? BECAUSE THIS. Oauth through github, great alternative since apparently I am not human according to microsoft. Common theme w them, amiright?

So yeah. Let them see all my githubs. Whatever. Just GO so I can RELAX. Rate limit fuck shit workaround dumb client requirements google can eat me. Whats this, I need to show my email publicly? Verification? Sure just go. But really MS, this looks terrible. If I boot up IE will it look any better? I doubt it but who knows I am not looking at MS CSS. I am going into my github, making it public. Then trying again. Then waiting. Then verifying my email is shown. Great it is hello everyone. COME ON MS. Send me an email. Do something.

I am trying to be patient, but after a few minutes, I revoke access. Must have been a glitch. Go through it again, with public email. Same ugly almost invisible message. Approaching a billable hour in which I made 0 progress. So, lets just see, NO EMAIL from MS, Yes it appears in my GitHub, but I have no way to log into MS. Email doesnt work. OAuth isn't picking it up I guess, I don't even care to think this through.

The whole point is, the error message was hard to discover, seems to be inaccurate, and I can't believe the IRONY or the STUPIDITY (me, me stupid. Me stupid thinking I could get working doing same dumb thing over and over like caveman and rock).

Longer rant made shorter, I cant come up with a single fucking way to get a free BING API Key. So forget it MS. Maybe you'll email me tomorrow. Maybe Github was pretending to be Gitlab for a few minutes.

Maybe I will send this image to my client and tell him "If we use Bing, get used to seeing hard to read error messages like this one". I mean that's why this is so frustrating anyhow - I thought the Google CSE worked FINE for us :/

Good morning to everyone, except that one Twitter dev who one day woke up and was like "YOU KNOW WHAT, MY APPLICATION WILL FEATURE BOTH OAUTH1 AND OAUTH2 ENDPOINTS, BUT SOME FEATURES WILL BE EXCLUSIVE TO EITHER OF THE TWO -NOT NECESSARILY THE MOST RECENT, JUST A RANDOM ONE-, AND ALSO THE OFFICIAL TWITTER LIBRARY WON'T COVER ALL THE ENDPOINTS SO PEOPLE WILL HAVE TO RESORT TO RAW HTTP REQUESTS INSTEAD OF USING MY SDK AND ALSO I'MMA MAKE DEVELOPERS FILL 2 VERY DETAILED FORMS, REQUIRING PERSONAL DATA AND ACTUAL REAL PHONE CALLS, JUST TO START DEVELOPMENT WITH 7 DIFFERENT AUTHENTICATION TOKENS, BECAUSE SOME REQUESTS WILL REQUIRE A DIFFERENT AUTHENTICATION METHOD THAN THE OTHER REQUESTS DESPITE ALL OF THEM PERTAINING TO THE SAME FUCKING ENTITY"

OAuth is a fucking mess beyond my understanding.

I don't know it. I don't care about it. I don't want to learn it.

I don't need to learn it.

Sorry guys but I have to vent!

I made such a stupid mistake I want to kill myself right now. In short you can call it ignorance..........

I spent so many hours trying to find a solution to a problem of invalid signatures being reported by an OAuth provider I'm making, just to find that Chrome was blocking requests to http.

So it was not a problem, to begin with. Aaaaarrh........ I'm so mad at myself.

Boss: "You hardcoded the redirect uri in the code (Early on during development and forgot about it, because apple OAuth is a piece of shit), but don't worry I fixed it by hardcoding the uri with the production host into the config file where clearly all settings are fetched from the OS Environment variables at runtime. This will surely fix the problem in staging we have, no need to thank me"

Fuck all authentication everywhere all the time. Fuck your passwords. Fuck your fingerprints. Fuck your rolling key fob. Fuck your aws secrets. Fuck your docker secrets. Fuck your oauth. Fuck your /etc/passwd. Fuck your groups. Fuck chmod and fuck chown and definitely fuck Kerberos. Fuck Saml. Fuck duo mobile. Fuck rotating pins. Fuck axiad. Fuck selinux. Fuck your fill out this form to get role based access. Fuck it doesn’t work because you can’t log in. Fuck it.

Im new on GitHub, and google didnt give me an answer simple enough for me to understand, so here i go.

How do i commit to GitHub and keep my files up to date, but without committing my password/oauth tokens?
Does one remove the line before committing, or what are you supposed to do?

Im using IntelliJ, dark theme

My manager gave me a project about integration & deployment to another internal product which involves consuming oauth credentials which were already available in AmazonS3. The worst part of this is I wont have any access to any AWS resources and no sandbox environment.

And I'm like. How the fuck should I do this? Should I just conceptualize and pray to the machine spirits and hope that this wont have any fucking issues?

User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?

Me: No

User: Why not?

Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???

User: Uhhhhh

FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly

Google OAuth docs is such a pain to read... I have implemented OAuth multiple times and understand the flow. Its never been a problem, but man, their docs is such a pain to read.

Their Java client library is also painful. Its needlessly complex that I just ended up implement good old HTTP rest to handle it.

I recently finished high-school and got a job in PHP Development. My employer told me to make a simple app wich OAuths you to your Discogs account and receive your library list. I got hired afterwards and now i work on a huge project which launches in less than 2 weeks. The day i got my job i havent worked with Laravel but ~ 3 days.
When you need to learn something due to the pressure, you'll learn faster. It's the same as learning a new language - I'd rather go to live in a country where it's mainly spoken that language and learn it due to the necessity than buy courses online.

Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.

I really wanna get into making Reddit bots but man, OAauth2 is really turning my head into a pretzel :(

anyone know a good tutorial?

Basic REST server authentication: pass a valid username in the URL of your request and you can publish trade and market data that's used by other systems.

I think they're moving to oAuth now but... These developers are slow and only do things when a gun (Sr. Management) is held to their heads.

Oauth is unnecessarily complicated. No wonder so many implementations are vulnerable...

I've got a bit funny situation.
I wanted to make small application to speed up my dad's job, app is about duplicating models in X website (I don't want to say directly what website).
So I started by checking it has API, Yup, It has, but you need OAuth ID, to get it you need to write to support.
So I did it, my mail was something like that: "Hello, can I get access to your API, I want to make app to duplicate models with same settings, Thanks"
I've got an answer like that "Hello, our website doesn't have duplicating feature."
My reaction was: Wtf? I know it doesn't have that feature, That's why I want to make it. How did he get hired as technical support?
Maybe it's not the most exciting story, but I thought it could be intresting :)

Who in their right mind would do this / think of this....

Salesforce has the option use their API. Either via SOAP or Rest. At my work we currently use SOAP and I wanted to rewrite that to Rest. Fine, you would say.

Their Rest API uses oAuth, nothing fancy you would think. But those motherfuckers, per default have the option enabled that the refresh tokens you get via the necessary API calls are being marked expired the moment the API gives them to you... Then why the hell give them in the first place.

It took me 2 hours of my life to figure out, why in godsname all my refresh tokens were marked as expired. Fuck you Salesforce, I want those 2 hours back! God fucking damn it... I really fed up with this type of bullshit!!

bro look how cool i am haha lol i know java c c# angular react and php lol haha infact bro i created couple compilers haha lol bro vscode bro more like vssucks lol i use Google Docs for coding haha bro what is windows i use Ubuntu lol for that alpha sigma grindset life haha lol just update 1000 packages a week bro i play with the bootloader like messi plays football bro haha bro i can't exit vim bro i basically stay in it haha lol bro i know all about AI haha LLMs haha im taking an inteview, a shit and solving complex neurological simulations at once bro haha i wear dev related tshirts haha lol bro my house is built on Alexa bro haha ALEXA TURN ON THE LIGHTS see how cool it is bro haha i use OAuth everywhere bro to gain access to my toilet seat haha lol my thumbs hurt so bad lol bro cuz I code all day long bro what are weekends bro I never take leaves bro haha have to stay on that sigma side hustle culture right haha look how many stickers i have on my laptop haha im so cool haha lol.

But I am lonely and go online to tell people how cool I am from my mother's basement.

I was studying a lot the last year, i learned a lot about Machine Learning/Deep Learning, Data Gathering, Data Analysis, ETL, Model Architecture Design, Training, Fine Tuning, Backend Development, DataBases, API Development, ORMs, Rest, GraphQL, OAuth, CI/CD, Docker, Deployment to Production environments like Heroku, Git and more stuff i dont remember while writing this. I built and keep adding stuff to my Github Portafolio.

Im not able to get a job. I started looking for jobs as Data Scientists, no response never. I take a look at freelancer sites, nothing seems to fit my skills. And when there is a minimal fit, they always want a Full Stack Web Developer, i dont know Frontend Development, i dont like do it.

Dont know what to do or how to land any job.

My options aeems to be:

1.Learn Frontend Dev and work as Full Stack in underpaying freelance jobs

2.Keep applying to Remote-Only startups, but they still wants people with 3+ years of experience.

i cant work in my city, here are not any company startup hiring no one, we are 30 years in the past here.

What you do in my place?

Wrote a whole http request script to do direct calls to google woth the whole oauth, which where successfull, and after all this work the request responds with a fuck you, the account does not exists response. Apparently it does not give authorization for service accounts and i will be forced to use the google api request to make this fucking thing work. Fuck google.

Cure for Imposter Syndrome:

Go try to find a freelancer for a project, for something like "adding OAuth to existing .net web API 2 and angular.ja project" and many many developers respond. You will be shocked at how little they know, they say they understand the job but are clearly incompetent.

Best job security ever. Also, just suck it up and do it yourself 😆

I'm thinking about creating a central login system for all my websites, where you get redirected to and then login/sign up and then be redirect back. A bit like oAuth.

I have a few websites (and more in development) that use a login system, so that could be really useful to have... Especially because all of them are built from scratch and have their pros and cons. And security wise it's easier to concentrate on one system instead of all of them.

Another benefit is that you save some DB space, if you have lots of users!
And of course the users benefit from it as they'll be able to use all my websites with a single account.

What do you think about it?
I'll still need to do a bit of research on security but other than that, I only see benefits!

“Not a security guy” no more😼
I already completed 10/16 chapters of this book, including formatted and updated every code example in the github repo.
There’re lots of fillers in the book.
😑Lots of repeating samples.
The nosql part in node.js is completely broken.🤯
The code mixed with space and tab, so I have to format it before starting the exercise. 🙀
The git repo has about 150 forks, it makes me wonder how many copies they actually sold, since the entire book is closely tied to code samples.🤔

When the security team decides they want to reinvent the wheel instead of accepting standards like OAuth.

You know what's worse than having to come up with a new password every time you create an account? Forgetting your password every time you try to log in!

I swear, it's like my brain has a selective memory when it comes to passwords. I can remember every lyric to a song from 10 years ago, but I can't remember the password I created yesterday.

And don't even get me started on password manager software. You would think that having all of your passwords stored in one place would make things easier, but nope. I've forgotten my password for my password manager so many times that I'm starting to think I need a password manager for my password manager.

But seriously, why do we even need passwords in the first place? Why isn’t there an easier one stone kills all solution to all these password authentication nonsense?

I could remember when it was all letters, then forced to use letters + numbers…

then later forced to include symbols…

and then forced to make it lengthier…

and then solve puzzles after getting it right…

and after all the stress now we are forced to find nemo from a set of images.

I thought the misery would end there but nope. Now some platform forces 2FA like dude seriously?

For God’s sake we built self driving cars already! Why can’t one just exist without a password? Why do we always end up in a password cycle?

And please don’t say shit about oauth because if your password master (i.e: google) fucks you in the ass then all your oauth accounts are gone for good!

I'm currently having an existential crisis about the meaning of passwords in our modern society. Shit is crazy when I ponder about it I get worried.

Authentication and Identity management are just one giant shit fuck.
Ldap, PAM, OAuth and what not.
Each of them with it's own caveats.

Ldap, supposedly being the most widely used, isn't even an actual Identity management or authentication service, but just a DB misused as one.

The best part is, that if you want to selfhost some apps, you're pretty much forced to host one of these abominations too.
At least if you don't want to manage each service account's separately.

I have a question, let's say I have a website and app both using oAuth facebook login. Should I save the access token provided by facebook in my database and if I should, what will happen to the access token when user logins with facebook on website and then login again with the app? is that mean access token is going to be overwritten by new login? and do you have any other suggestions for 0auth integration?

#OAuth logic: Lets make OAuth1.0 simpler for clients.. TADA.. OAuth2.0.. OAuth1.0 looks simpler now??!!

A day using “0auth”, another day using “OAuth”...

Over the last few weeks, I've containerised the last of our "legacy" stacks, put together a working proof of concept in a mixture of DynamoDB and K8s (i.e. no servers to maintain directly), passing all our integration tests for said stack, and performed a full cost analysis with current & predicted traffic to demonstrate long term server costs can be less than half of what they are now on standard pricing (even less with reserved pricing). Documented all the above, pulled in the relevant higher ups to discuss further resources moving forward, etc. That as well as dealing with the normal day to day crud of batting the support department out the way (no, the reason Bob's API call isn't working is because he's using his password as the API key, that's not a bug, etc. etc.) and telling the sales department that no, we can't bolt a feature on by tomorrow that lets users log in via facial recognition, and that'd be a stupid idea anyway. Oh, and tracking down / fixing a particularly nasty but weird occasional bug we were getting (race hazards, gotta love 'em.)

Pretty pleased with that work, but hey, that's just my normal job - I enjoy it, and I like to think I do good work.

In the same timeframe, the other senior dev & de-facto lead when I'm not around, has... "researched" a single other authentication API we were considering using, and come to the conclusion that he doesn't want to use it, as it's a bit tricky. Meanwhile passed all the support stuff and dev stuff onto others, as he's been very busy with the above.

His full research amounts to a paragraph which, in summary, says "I'm not sure about this OAuth thing they mention."

Ok, fine, he works slowly, but whatever, not my problem. Recently however, I learn that he's paid *more than I am*. I mean... I'm not paid poorly, if anything rather above market rate for the area, so it's not like I could easily find more money elsewhere - but damn, that's galling all the same.

Doing the Full Stack Nanodegree from Udacity
Using Google's oAuth Sign in in my Flask App, I realized that no matter what browser I use, I was unable to logout, Google always threw an error my way. I figured something must be wrong with my code..
Searched on Google, couldn't find anything relevant, gave up on first 4 results(not pages, yeah I'm that lazy!)
Spent 3 hours Debugging at different points, removing all the abstraction I've put in using various libraries (Bad move)
Finally it dawned on to me to check Udacity forum as well. It's a frickin cache/cookie thing. Tried the app in an incognito window, worked like a charm. Reverted code back with all the libraries, worked like a charm again!

FUCK YOU GOOGLE! In your attempts to track users, you're even making our work difficult!

(in hindsight, I should probably be better at asking/looking for help)

Hello. (Android) dev here contemplating about the future of my profession.

I am looking for a specialization or a field in my profession where i can be free of dependencies from GAFAM (The big five)
Basically software development is me only using dependencies and stuff they and 3rdparty people have created and then it works or it doesnt. Or if you dont keep it up2date it wont work because deprecation and breaking changes. I was web developer before and changed to android because of all the libs and frameworks one needed to wield for proper development. And now android has mostly become the same. Vanilla android is easy, but u start using google apis or 3rdparty services u quickly realize how far u get away from your actual usecase. Usermanagement, oauth, 2fa, userdatamanagement, crossplattform, offline, syncing etc.

I am pretty sure the topic came up before (dev fatigue, dependency fatigue) and most of you know what i mean but i might be the recent casualty here.

Hey! I have to build a website using ReactJS and OAuth. Does anyone have tips/links/advice or things NOT to do?
I can't fuck this one up guys...

Are there any Italian devs here? Or anyone who wants to move to italy? 😂

I built startupjobsitalia com a couple months ago to help early Italian startups and founders find local talent. I moved to Italy from Norway in 2022 and noticed that there wasn't a dedicated site for this like they have in the Nordics!

It was a good way to learn Next.js, OAuth, and Supabase, but it'd be way cooler if Italians could actually get some value out of it🤞🏻

Having so much fun with pug, and nodejs last week,
Building a demo OAuth 2.0 authentication server to simulate GitHub OAuth’s behaviour.
In the next step, I will deploy it on aws for more testing.
Blog on the way...🤞

BTW, they actually built a package for render pug to React components🙄

Apparently you need to pay microsoft in order to have access to some security features, such as removing managing connected oauth apps.

What a fucking joke, I need to check a fucking screen of yours that our client has deemed as a bug.

Get your shit together and stop bring such a greedy whore microshit

You call it “oAuth 1.0”. I call it “noncense”.

OAuth/Spring Security/Spring Boot
WAY over-complicated to implement.

We're a grew guys developing an application that requires a server to orchestrate everything. We'd like to make everything within this project open source. Does anyone have any experience with open sourcing server side code which will interface with OAuth APIs and what not? How do you go about managing deploys? I'm mostly concerned with security here.

VSCode doesn't request permission to edit github workflow files by default. Because it's an OAuth app and not a token, I can't grant it scopes that it did not request. I am forced to use SSH or a personal token instead of VSCode's built-in Github authentication, but because there's no convenient way to have VSCode forget that it authenticated a repo, I am also forced to checkout my own repo again and push the changes across.

If you want your product to Just Work, then Just Use Open Processes that are easy to hook into, interrupt or partially replace. Nobody can think of everything. Not even Apple's or Microsoft's mighty designers. What everyone can do is to provide graceful failure modes and offer partial strategies.

*Triggers OAuth request through browser
Returns : success and valid tokens.

*Another project triggers the same process and code.
Returns : well shit nigga, I know I use the same logic as above but fuck you.

This weeks a joke right 😂, the recent day 0 Microsoft bug that allows anyone to get hacked, and allow someone to do whatever the hell they want.(as you can pretend to be any program on the computer)

Or the super user hack on Linux recently patched... Day 0....

The fact 80% of devs implement oauth incorrectly... So their user accounts are hackable...
Need I go on?

DAMN IT TO HELL
BURN IT
six. SIX videos ive seen. read docs. and tutorials. and still dont know how to even start
you want oauth for facebook and spotify sureee i can
but for defualt?
and an api mock online?
FML
no clue
SOS

// !rant

Need some assistance with Drupal and Dreamfactory.

Dreamfactory is an amazing piece of software that basically turns any database into a REST API. I mean any DB from SQL Server to MySQL and all kinds of others. For a connection to the API it uses JWT (JSON Web Tokens) which expire momentarily.

On Drupal, there's wsdata and rest client modules. Restclient is a module where you configure a connection via OAuth or HybridAuth to a rest server. The problem is that the rest server for dreamfactory uses JWT and i'm not sure how to get Drupal and restclient to connect that way.

Hey i want to make a chat application for production workload with more than 100000 simultaneous connection and more than 1000000 daily active user which will scale 100 times in coming 1 to 2 years for Android. I have oauth based user authentication. This chat should be able to authenticate and verify authtoken generated using the oauth. What should i use? Xmpp, mqtt or something else. Can anyone who has worked on chat application help me.

Was working on OAuth2 in unity (first time oauth attempt)
Could not get my token for like a month... Then a friend was line per lining my code, ; =\= :

It worked after that :'(

Why there has to be So Many legs to the OAuth....

1 Leg...
2 Legs...
3 Legs... Wtf...

Make it a fkin...Octopus OAuth

Why so many legs to a Dumb API ??!

Hey guys. Anyone subscribed to Symfonycasts? It is like Laracasts. Can I download all videos there as well while I'm subscribed to them?

How are the tutorials there? I want to download and watch the oAuth 2 tutorial there. Thanks!

Am I the only one who got annoyed that there is no OAuth signup for devRant?

We ended up finding ourselves with a bunch of tables that have mostly the same columns, but differ by a few. Every time we consume a REST API, we store the `access_token`s and expiration dates and the other OAuth data. However, each provider has slightly different requirements. For example, we store email addresses for email api's, other providers require us to store some additional information, etc. etc.. I'm tempted by the flexibility and lack of schema brought by document databases, but not enough to use one since they're generally slower and we already have everything in SQL. So I got the idea of using JSON columns to alleviate this issue: have a single table for all REST integrations (be it outlook or facebook), and then store the unique integration data inside of this JSON column for "additional data". This data is mostly just read, not filtered by (but ocasionally so). Has anyone had experience with this? How's the performance of JSON fields? Is this a good practice or will it get harder with more integrations?

Apparently, Spotify requires auth on all of their endpoints. So now, if I want to write a simple CRUD app I have to deal with fucking OAuth.

Can anyone help me with NativeScript social Oauth login with Vue.js ? I've been trying to figure out how to implement it. Thanks in advance.

What's the point of the Gmail API if you can do all of its functions with IMAP or POP3 and not have to have user login oauth, just account and password?

I wanted to read a company email account for certain emails related to our tickets. No one actually accesses this account, and the tool is without a GUI. As such, I can't use the Gmail API. I just remembered there must be a more ordinary way to do this because how does Outlook and other email software work? So python import imaplib and I was done in a few minutes.

Stuck trying to make Firebase Facebook Auth work with Google Chrome Extension. Just isn't working 😔

OAuth Sucks! , just sayin

I have seen references to API keys in several places. I have setup a few for various web services. However, I don't have a firm understanding of how they are protected (or not protected) from being copied and used by apps other than my own. I read a quick blurb from Google that said to use regular authentication over API keys due to them being able to be copied.

So my questions are: Are API keys just a bad way to subscribe services? Is there a way to protect them from being discovered? Maybe the app logs into a auth point for your services and is served the key to use with other services? But this key could still be gleaned from memory. Are API keys going to go away maybe in deference to things like oauth?

MRW I deploy to production server and forget to add a server domain in "OAuth redirect domains" in Firebase.
Before that I was debugging for 6 hours without success.

Anyone knows how to hash the OAuth 1.0 signature with RSA-SHA1 using PHP? Using only the value to be hashed and a key?

Just built out my first app using Cloudflare Workers, Typescript, and DurableObjects. Holy shit, this is nice stuff.

It's taken little to no time to build out:

* JSON API written in Typescript
* JWT verification against my OAuth backend (SAML support too)
* CI Automated Deployments including unit tests
* DurableObject support
* 3rd party HTTP calls + caching (built in to the framework!) to reduce network latency and hiccups.
* Cron-like tasks on each stored object so they can awaken the app on a schedule and update themselves as necessary
* Rapid deployment to new environments

The local testing with coordinated "miniflare" is dreamy too.

Seriously Microsoft, handle your OAuth took more of my brain power than Facebook, Google, GitHub, Twitter combined. Why ??????

I think I am too stupid for OAuth2. How do I handle this scenario: User deletes his account at the OAuth Provider. Lets say my own, Google, Microsoft, whaever. How do I handle data associated with the user then? I have some data which can be deleted then as it is not needed anymore.

Or is this not possible by design? If yes, this a perfect example on how to waste resources...

Is anyone familiar with google OAuth not working on webview issue and got any idea to resolve it?

I googled but it says the users will need to use the mobile browser in order to use Google OAuth.
And also tried to force open the link in chrome using js but it's not working.

To all the docker users in this platform, have you ever dockerized a spa with OAuth 2.0 Implicit grant?
I am getting this weird 404 error after I get the AT and redirection happens. This is so frustrating!!!!

Intuit documentation for using oauth 1.0 is pretty lackluster. It's very focused on making apps for their app store, not integrating with your own web app.

Been trudging through it and slowly making some progress now. I still love my fucking job but I'm ready to work on something else 😂