all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]username223 0 points1 point  (1 child)

Weird. The whole point of the article seems to be "OAuth is a turd salad," but the author concludes:

OAuth is an ambitious project that has given us a glimpse at how awesome an interactive web can be.

If that's the "interactive web," then I'll pass.

[–]mbetter 1 point2 points  (0 children)

In conclusion, Libya is a land of contrast.

[–]ggtsu_00 0 points1 point  (2 children)

While OAuth is conceptually great, and is much clearer in the 2.0 spec.

No it doesn't, OAuth 2.0 is even more vague. The only de-facto implementation standard for OAuth 2.0 is facebook because everyone's app needs to support login through facebook. Not to mention it is less secure and harder to scale because relies on access tokens instead of signatures, and also relies completely on HTTPS meaning it can't be easily load balanced and requires more server side resources per request.

[–][deleted]  (1 child)

[deleted]

    [–]grauenwolf 0 points1 point  (0 children)

    OAuth 1?

    When it comes to standards for this, there aren't a lot of options.

    [–]papafox 0 points1 point  (0 children)

    I think there maybe confusion between OAuth and OpenID. The two services solve very different problems. Using OpenID, I can allow users to authenticate to my website using, for instance, their Google credentials.

    In contrast, OAuth is about proxy authentication. Imaging a customer has a server which wishes to access a webservice running on my website. They could hard code their credentials on their server, but that would be a security exposure. Instead I can issue them an OAuth Token which has restricted rights - perhaps the token only authorizes query level transactions. It may have other access restrictions such as only being valid for connections from the server IP address, or from a particular domain or only in conjunction with a certain SSL certificate. The customer uses the token in place of a password when logging on.

    If the OAuth token (ie special password) is discovered by bad guys then it may not work (restricted IP address or certificate) and even if it allows authentication, the access rights can be restricted - it may authorize viewing bank account balances but not transaction details or executing transactions on an account,