Skip to main content

Posts

Showing posts from October, 2012

OAuth 2.0 and interoperability

Lately I have been more and more involved with OAuth (at work and in my spare time with Apache Amber) so before I forget some lessons learned I decided to put them here.
First reminder to self: OAuth is NOT an authentication protocol. It is an access delegation protocol. I hope this is clear to all the OAuth developers/implementators. Should you use OAuth for authenticate in your application/website you'd better be careful (specially if you use the client side flow aka implicit grant). If you wonder why give a look here and here.

Risk:"access_token phishing" attackMitigation: Use Open ID Connect or API like https://graph.facebook.com/app?access_token=YOUR_TOKEN
To be continued...

P.S. little off topic Apache Amber is now linked also from http://oauth.net/2/