Sunday, 21 October 2012

OAuth 2.0 and interoperability

Lately I have been more and more involved with OAuth (at work and in my spare time with Apache Amber) so before I forget some lessons learned I decided to put them here.

First reminder to self: 

OAuth is NOT an authentication protocol. It is an access delegation protocol.

I hope this is clear to all the OAuth developers/implementators. Should you use OAuth for authenticate in your application/website you'd better be careful (specially if you use the client side flow aka implicit grant). If you wonder why give a look here and here.

  • Risk: "access_token phishing" attack
  • Mitigation: Use Open ID Connect or API like https://graph.facebook.com/app?access_token=YOUR_TOKEN

To be continued...

P.S. little off topic Apache Amber is now linked also from http://oauth.net/2/