Re: [Wikitech-l] OAuth critique
Most of those concerns are valid. Daniel Friesnen has managed to convince me that OAuth is absolutely horrible, and that we will probably have to make our own authentication framework. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan yastrak...@wikimedia.orgwrote: There was a discussion recently about OAuth, and I just saw this blog post http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html (posted on slashdot http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit ) with some heavy criticisms. I am not an expert in OAuth and do not yet have a pro/against position, this is more of an FYI for those interested. --yurik ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] OAuth critique
Hoi, MAY I QUOTE YOU ??? Thanks, GerardM On 22 March 2013 17:11, Tyler Romeo tylerro...@gmail.com wrote: Most of those concerns are valid. Daniel Friesnen has managed to convince me that OAuth is absolutely horrible, and that we will probably have to make our own authentication framework. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan yastrak...@wikimedia.orgwrote: There was a discussion recently about OAuth, and I just saw this blog post http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html (posted on slashdot http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit ) with some heavy criticisms. I am not an expert in OAuth and do not yet have a pro/against position, this is more of an FYI for those interested. --yurik ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] OAuth critique
I think the caricature of OAuth there should be taken with a grain of salt. The author talks about OAuth, but seems to be referring to OAuth 2 primarily, which is very different from OAuth 1. Also, the author says that the protocol was designed for authorizing website-to-website communication, but then says it's insecure in a desktop app environment, which it is. They also point to the (very good) article about using OAuth for authentication, which again, the protocol was not designed for. So yes, if you don't use the protocol in the way it's intended, absolutely it's insecure. The same can be said for AES encryption (like if you use it in cbc mode to protect predictable messages). Should you trust a system just because it's using OAuth? Definitely not. But is it insecure just because it's using OAuth? I would say no. If you disagree, you can even get paid if you can find a flaw in Facebook's implementation, so you should take them up on it :) On Fri, Mar 22, 2013 at 9:11 AM, Tyler Romeo tylerro...@gmail.com wrote: Most of those concerns are valid. Daniel Friesnen has managed to convince me that OAuth is absolutely horrible, and that we will probably have to make our own authentication framework. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan yastrak...@wikimedia.orgwrote: There was a discussion recently about OAuth, and I just saw this blog post http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html (posted on slashdot http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit ) with some heavy criticisms. I am not an expert in OAuth and do not yet have a pro/against position, this is more of an FYI for those interested. --yurik ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] OAuth critique
On Fri, Mar 22, 2013 at 8:59 AM, Yuri Astrakhan yastrak...@wikimedia.org wrote: There was a discussion recently about OAuth, and I just saw this blog posthttp://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html (posted on slashdothttp://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit) with some heavy criticisms. I am not an expert in OAuth and do not yet have a pro/against position, this is more of an FYI for those interested. OAuth has ... plenty of issues ... ;) but it has its place. That place is *specifically* in authorizing third-party web applications to get partial access on behalf of a user without getting unfettered access to their credentials -- something that should be useful for wiki-related tools such as on Toolserver and Labs, or on other third-party hosting. It shouldn't be used for mobile or desktop apps. It can't replace CentralAuth. It can't replace login. It can't replace OpenID. And it shouldn't be shoved into any of those things where it won't fit. :) -- brion ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] OAuth critique
Oh yay, I actually convinced someone. This post is a little different than mine. A random spattering of high-level qualms with it. OAuth 2 not being a protocol. Flow issues (though a little debatable). And some stuff about enterprise that besides being irrelevant to us sounds like berating the taste of an apple cause it doesn't taste like an orange. For reference this was my overview of the issues with both the OAuth 1 and OAuth 2 standards: https://www.mediawiki.org/wiki/OAuth/Issues I didn't get round to an actual specification. But in the interest of writing one, awhile ago I did go over every user flow I could think of an auth system having, made notes and comments on each of them, then decided what ones should be rejected. https://github.com/dantman/protoauth-spec/blob/master/auth-flows.md -- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On Fri, 22 Mar 2013 09:11:06 -0700, Tyler Romeo tylerro...@gmail.com wrote: Most of those concerns are valid. Daniel Friesnen has managed to convince me that OAuth is absolutely horrible, and that we will probably have to make our own authentication framework. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan yastrak...@wikimedia.orgwrote: There was a discussion recently about OAuth, and I just saw this blog post http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html (posted on slashdot http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit ) with some heavy criticisms. I am not an expert in OAuth and do not yet have a pro/against position, this is more of an FYI for those interested. --yurik ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] OAuth critique
On 03/22/2013 12:48 PM, Chris Steipp wrote: I think the caricature of OAuth there should be taken with a grain of salt. The author talks about OAuth, but seems to be referring to OAuth 2 primarily, which is very different from OAuth 1. Also, the author says that the protocol was designed for authorizing website-to-website communication, but then says it's insecure in a desktop app environment, which it is. They also point to the (very good) article about using OAuth for authentication, which again, the protocol was not designed for. I agree. There are valid issues with OAuth, but the article is way over the top, and some of the statements, like: Third party software cannot run automated processes on an OAuth APUI. are flat out false. That's exactly how services like IFTTT and Zapier work. They require a one-time authentication step, then can run in the background automated forever (or until revoked). A web site can embed a web browser via a Java Applet or similar, or have a web browser server side which presents the OAuth log in page to the user, but slightly modified to have all the data entered pass through the third party site. Therefore OAuth doesn't even fulfill its own primary security objective! is a bit silly, since Java applets are increasingly being sandboxed and just completely disabled/uninstalled, and some users can certainly tell the difference between a weird Java browser and a popup in their main browser. The biggest real issue is probably the optional components, but I sense that sites are already forming de facto profiles (i.e. new sites gravitate toward particular components). Also it is common that OAuth implementations are using security tokens which expire, meaning the boss will need to keep reentering his Calendar credentials again and again. I don't know any one that requires you to enter your password again. Some require automatic token renewal, and with others (again, an increasing number, based on what I can see) the token lasts until revocation. Matt Flaschen ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l