background preloader


Facebook Twitter

OAuth1, OAuth2, OAuth...? TL;DR OAuth2 sucks.

OAuth1, OAuth2, OAuth...?

Please don't think about OAuth2 as about the next generation of OAuth1. They are completely different like colors: OAuth1 is the green version, OAuth2 is the red version The biggest OAuth1 provider - Twitter. I bet ($100!) They are not switching to OAuth2 in the near future. Pros and cons: + becoming compatible with the rest of social networks - making authorization flow insecure, like the rest of social networks I am not telling OAuth1 is super secure — it was vulnerable to session fixation a few years ago. It was fixed in oauth1.a. OAuth2 core vulnerabilities - parameters I have no idea why, who and, generally speaking, what the fuck, but we can transfer "response_type" as a parameter in URL (not as a setting of your Client). Vector 1. Stolen access_token = Game Over. response_type must be a constant value in application settings. redirect_uri Vector 2. Vk (vkontakte) was vulnerable to this attack until Sep 2012 - redirect_uri wasn't required to obtain token.

OAuth 2.0 and the Road to Hell. They say the road to hell is paved with good intentions.

OAuth 2.0 and the Road to Hell

Well, that’s OAuth 2.0. Last month I reached the painful conclusion that I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing.

There wasn’t a single problem or incident I can point to in order to explain such an extreme move. All the hard fought compromises on the mailing list, in meetings, in special design committees, and in back channels resulted in a specification that fails to deliver its two main goals – security and interoperability. When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure. How did we get here? OAuth 2.0 - The Good, The Bad & The Ugly. In a world dominated by social media, it's hard to not come across a client application which you have used to access restricted resources on some other server, for example, you might have used a web-based application (like NY Times) to share an interesting news article on your Facebook wall or tweet about it.

OAuth 2.0 - The Good, The Bad & The Ugly

Or, you might have used Quora's iPhone app that accesses your Facebook or Google+ profile and customizes the results based on your profile data, like suggesting to add/invite other users to Quora, based on your friends list. The question is, how do these applications gain access to your Facebook, Twitter or Google+ accounts and how are they able to access your confidential data? Before they can do so, they must present some form of authentication credentials and authorization grants to the resource server. OAuth is often described as a valet key for the web. However, OAuth is not a new concept, but a standardization and combined wisdom of many well established protocols. OAuth 2 Simplified. Many services such as Facebook, Github, and Google have already deployed OAuth 2 servers, and deployed implementations win.

OAuth 2 Simplified

The OAuth 2 spec itself leaves many decisions up to the implementor. Instead of describing all possible decisions that need to be made to successfully implement OAuth 2, this post makes decisions that are appropriate for most implementations. This post is an attempt to describe OAuth 2 in a simplified format to help developers and service providers implement the protocol. Table of Contents Roles The Third-Party Application: "Client" The client is the application that is attempting to get access to the user's account.

The API: "Resource Server" The resource server is the API server used to access the user's information. The User: "Resource Owner" The resource owner is the person who is giving access to some portion of their account. Creating an App Before you can begin the OAuth process, you must first register a new app with the service. Redirect URIs Client ID and Secret.