Skip to main content

Posts

Showing posts from October, 2012

OAuth 2.0 and interoperability

Lately I have been more and more involved with OAuth (at work and in my spare time with Apache Amber ) so before I forget some lessons learned I decided to put them here. First reminder to self:  OAuth is NOT an authentication protocol. It is an access delegation protocol. I hope this is clear to all the OAuth developers/implementators. Should you use OAuth for authenticate in your application/website you'd better be careful (specially if you use the client side flow aka implicit grant). If you wonder why give a look here and here . Risk: "access_token phishing" attack Mitigation : Use Open ID Connect or API like https://graph.facebook.com/app?access_token=YOUR_TOKEN To be continued... P.S. little off topic Apache Amber is now linked also from http://oauth.net/2/