[oauth] 2-legged OAuth -- why it's great, what it's missing

Mon, 01 Feb 2010 14:01:03 -0800 

Here's my view of why 2-legged OAuth (which "isn't really OAuth") is such a
handy tool to have for a system already using OAuth. Here are some problems
that 2-legged OAuth does *not* have, and a list of other solutions that do
(each assumes best possible implementation on both ends).


   - the user's password is exposed to a MITM
      - http basic
      - "API Key"
   - hassle configuring apache or other layers -- (with OAuth, all
   authentication is in the application code and storage)
      - http basic
      - http digest
      - HTTPS
   - a MITM interceptor can acquire information that can be used to
   impersonate the user
      - http basic
      - http digest
      - "API Key"
      - HTTPS (when exploited by obscure circumstances such as DNS
      compromise or unsophisticated user)
   - non-standard implementation without community security vetting
      - "API Key" + "API Secret" (or other signing-with-secret solution)

The best non-oauth solution, security-wise, is a secret-signed request +
HTTPS. The only thing OAuth misses from this solution is content encryption.
HTTPS can be used alongside OAuth, making it the overall superior solution.

So, first of all, what do others think of my description of the space above?

Second, here is what 2-legged OAuth is missing from "the spirit of OAuth": In
three-legged OAuth, the user can revoke the third-party's access to their
resources at any time, if they stop trusting the third-party. In two-legged
OAuth, if the service fears that they credentials have been compromised,
they can change them, but -- if I'm not mistaken -- this results in all of
the user tokens being invalidated as well, even though the compromised
service creds wouldn't necessarily have results in access to the user creds
or resources. In other words: users revoking their OAuth keys for a service
does not have annoying side-effects, but a service changing its credentials
DOES.

I realize that this wasn't one of the goals of OAuth, and on a
service-by-service basis it seems reasonable for the onus of security and
data-management to be

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.

Reply via email to