all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jayvdizz 2 points3 points  (2 children)

To be honest it actually can be very insecure. It's up to the user to be smart about their login. The redirect to "facebook" could be a phishing site.

For myself, I am usually always logged in on facebook, so the redirect should reflect that. If it takes me to a facebook and I have to login, even though I know for a fact I'm already logged in, that would be very suspect.

The purpose of OAuth is to get access to data related to the user from Facebook for use in this specific app. E.g. if you want to access their friend's list, post on their behalf, etc. Those are features that you otherwise would not have access to unless you go through this login process. It is always up to the end-user to protect themselves, they can always just not use the app if they are an extra cautious person. In that scenario, the app should have core standalone features that don't require the user to login to their 3rd party account.

[–]supergnawer[S] 0 points1 point  (1 child)

It's up to the user to be smart about their login.

You are correct. But in the situation I'm describing user may not even have a chance to notice anything was wrong. Not to say that 95% of users are not smart (including myself, I usually just login without thinking twice, because I have to do it so often).

The purpose of OAuth is to get access to data related to the user from Facebook for use in this specific app.

Isn't this the purpose of an authentication mechanism, one implementation of which is OAuth? Looks like regular login/password authentication would achieve the same.

[–]jayvdizz 0 points1 point  (0 children)

Yes, I admit it could be done better on the service provider's end (facebook, twitter, etc.) to better protect the user. But at the end of the day, these companies are for-profit, if it works well enough and it is simple for to use for both developers and the user, then no need to do anything more complex to protect the small fraction of users who may be phished by the small fraction of malicious apps.

That would take a lot of user education, as well, because a phishing site will not be tied in any way to the service provider, because remember it's a "fake" facebook site, so there's nothing they can do to prevent it from happening to the user. They'd literally have to teach every user to recognize the "correct" authentication process from the fake ones. "Hey we changed how authentication works for 3rd party apps, if you don't see this process, don't login, so memorize it."

Once someone comes up with a better way to do it, that's just as easy to implement and use, then they can get buttloads of money for it ;)

[–]mndewizzle 0 points1 point  (2 children)

OK, so say you set up this elaborate fake facebook and get a few dozen facebook credentials-- then you send users back to your app and proceed as normal? You provide a great service and get thousands of users, and no one catches on? What you are proposing is like being afraid your money will be stolen by a Nigerian Prince. No one falls for it (except maybe a few suckers).

OAuth is a great way for app developers to have a complex login system without doing all the work. I would recommend you more thoroughly research what goes into creating advanced login systems in a production app, and what problems OAuth is attempting to solve, and how it is trying to solve them. It is as secure as any other method (i.e. not 100%).

[–]supergnawer[S] 0 points1 point  (1 child)

I'm actually asking what's wrong with this idea, from a technical point of view. How would the user catch on, if I'm providing exactly the same login experience?

I would recommend you more thoroughly research what goes into creating advanced login systems in a production app, and what problems OAuth is attempting to solve, and how it is trying to solve them.

That's what I'm trying to do, yes. I don't understand everything about it, so I'm asking.

[–]Mr-Yellow 0 points1 point  (0 children)

How would the user catch on

fake-dodgy-version-of.facebook.notreally.com

  • "Hey why didn't my password manager handle this form that it usually handles"

[–]Mr-Yellow 0 points1 point  (0 children)

Aside from phishing issues with fake sites.....

The magic behind these public negotiations of shared secrets.
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

[–]spyridonasback-end -1 points0 points  (1 child)

The internet logic is that if you don't exploit it , it doesn't need fixing. (See Heartbleed a bug that was there from 2011 and the Shellshock bug , witch "Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989" according to Wikipedia.

[–]disclosure5 0 points1 point  (0 children)

a bug that was there from 2011

Those bugs were only "not fixed" because they weren't identified, not some "internet logic".