OAuth critique

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

OAuth critique

Yuri Astrakhan-2
There was a discussion recently about OAuth, and I just saw this blog
post<http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html>
(posted
on slashdot<http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit>)
with some heavy criticisms. I am not an expert in OAuth and do not yet have
a pro/against position, this is more of an FYI for those interested.

--yurik
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth critique

Tyler Romeo
Most of those concerns are valid. Daniel Friesnen has managed to convince
me that OAuth is absolutely horrible, and that we will probably have to
make our own authentication framework.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | [hidden email]


On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan
<[hidden email]>wrote:

> There was a discussion recently about OAuth, and I just saw this blog
> post<
> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
> >
> (posted
> on slashdot<
> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
> >)
> with some heavy criticisms. I am not an expert in OAuth and do not yet have
> a pro/against position, this is more of an FYI for those interested.
>
> --yurik
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth critique

Gerard Meijssen-3
Hoi,
MAY I QUOTE YOU ???
Thanks,
     GerardM


On 22 March 2013 17:11, Tyler Romeo <[hidden email]> wrote:

> Most of those concerns are valid. Daniel Friesnen has managed to convince
> me that OAuth is absolutely horrible, and that we will probably have to
> make our own authentication framework.
>
> *-- *
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2015
> Major in Computer Science
> www.whizkidztech.com | [hidden email]
>
>
> On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan
> <[hidden email]>wrote:
>
> > There was a discussion recently about OAuth, and I just saw this blog
> > post<
> >
> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
> > >
> > (posted
> > on slashdot<
> >
> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
> > >)
> > with some heavy criticisms. I am not an expert in OAuth and do not yet
> have
> > a pro/against position, this is more of an FYI for those interested.
> >
> > --yurik
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth critique

Chris Steipp
In reply to this post by Tyler Romeo
I think the caricature of OAuth there should be taken with a grain of
salt. The author talks about "OAuth", but seems to be referring to
OAuth 2 primarily, which is very different from OAuth 1. Also, the
author says that the protocol was designed for authorizing
website-to-website communication, but then says it's insecure in a
desktop app environment, which it is. They also point to the (very
good) article about using OAuth for authentication, which again, the
protocol was not designed for.

So yes, if you don't use the protocol in the way it's intended,
absolutely it's insecure. The same can be said for AES encryption
(like if you use it in cbc mode to protect predictable messages).
Should you trust a system just because it's using OAuth? Definitely
not. But is it insecure just because it's using OAuth? I would say no.
If you disagree, you can even get paid if you can find a flaw in
Facebook's implementation, so you should take them up on it :)



On Fri, Mar 22, 2013 at 9:11 AM, Tyler Romeo <[hidden email]> wrote:

> Most of those concerns are valid. Daniel Friesnen has managed to convince
> me that OAuth is absolutely horrible, and that we will probably have to
> make our own authentication framework.
>
> *-- *
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2015
> Major in Computer Science
> www.whizkidztech.com | [hidden email]
>
>
> On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan
> <[hidden email]>wrote:
>
>> There was a discussion recently about OAuth, and I just saw this blog
>> post<
>> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
>> >
>> (posted
>> on slashdot<
>> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
>> >)
>> with some heavy criticisms. I am not an expert in OAuth and do not yet have
>> a pro/against position, this is more of an FYI for those interested.
>>
>> --yurik
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth critique

Brion Vibber
In reply to this post by Yuri Astrakhan-2
On Fri, Mar 22, 2013 at 8:59 AM, Yuri Astrakhan
<[hidden email]> wrote:
> There was a discussion recently about OAuth, and I just saw this blog
> post<http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html>
> (posted
> on slashdot<http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit>)
> with some heavy criticisms. I am not an expert in OAuth and do not yet have
> a pro/against position, this is more of an FYI for those interested.

OAuth has ... plenty of issues ... ;) but it has its place.

That place is *specifically* in authorizing third-party web
applications to get partial access on behalf of a user without getting
unfettered access to their credentials -- something that should be
useful for wiki-related tools such as on Toolserver and Labs, or on
other third-party hosting.

It shouldn't be used for mobile or desktop apps. It can't replace
CentralAuth. It can't replace login. It can't replace OpenID. And it
shouldn't be shoved into any of those things where it won't fit. :)

-- brion

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth critique

Daniel Friesen-2
In reply to this post by Tyler Romeo
Oh yay, I actually convinced someone.

This post is a little different than mine. A random spattering of  
high-level qualms with it. OAuth 2 not being a protocol. Flow issues  
(though a little debatable). And some stuff about "enterprise" that  
besides being irrelevant to us sounds like berating the taste of an apple  
cause it doesn't taste like an orange.

For reference this was my overview of the issues with both the OAuth 1 and  
OAuth 2 standards:
https://www.mediawiki.org/wiki/OAuth/Issues

I didn't get round to an actual specification. But in the interest of  
writing one, awhile ago I did go over every user flow I could think of an  
auth system having, made notes and comments on each of them, then decided  
what ones should be rejected.
https://github.com/dantman/protoauth-spec/blob/master/auth-flows.md

--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]

On Fri, 22 Mar 2013 09:11:06 -0700, Tyler Romeo <[hidden email]>  
wrote:

> Most of those concerns are valid. Daniel Friesnen has managed to convince
> me that OAuth is absolutely horrible, and that we will probably have to
> make our own authentication framework.
>
> *-- *
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2015
> Major in Computer Science
> www.whizkidztech.com | [hidden email]
>
>
> On Fri, Mar 22, 2013 at 11:59 AM, Yuri Astrakhan
> <[hidden email]>wrote:
>
>> There was a discussion recently about OAuth, and I just saw this blog
>> post<
>> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
>> >
>> (posted
>> on slashdot<
>> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
>> >)
>> with some heavy criticisms. I am not an expert in OAuth and do not yet  
>> have
>> a pro/against position, this is more of an FYI for those interested.
>>
>> --yurik


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth critique

Matthew Flaschen-2
In reply to this post by Chris Steipp
On 03/22/2013 12:48 PM, Chris Steipp wrote:
> I think the caricature of OAuth there should be taken with a grain of
> salt. The author talks about "OAuth", but seems to be referring to
> OAuth 2 primarily, which is very different from OAuth 1. Also, the
> author says that the protocol was designed for authorizing
> website-to-website communication, but then says it's insecure in a
> desktop app environment, which it is. They also point to the (very
> good) article about using OAuth for authentication, which again, the
> protocol was not designed for.

I agree.  There are valid issues with OAuth, but the article is way over
the top, and some of the statements, like:

"Third party software cannot run automated processes on an OAuth APUI."

are flat out false.

That's exactly how services like IFTTT and Zapier work.  They require a
one-time authentication step, then can run in the background automated
forever (or until revoked).

"A web site can embed a web browser via a Java Applet or similar, or
have a web browser server side which presents the OAuth log in page to
the user, but slightly modified to have all the data entered pass
through the third party site. Therefore OAuth doesn't even fulfill its
own primary security objective!"

is a bit silly, since Java applets are increasingly being sandboxed and
just completely disabled/uninstalled, and some users can certainly tell
the difference between a weird Java browser and a popup in their main
browser.

The biggest real issue is probably the optional components, but I sense
that sites are already forming de facto profiles (i.e. new sites
gravitate toward particular components).

"Also it is common that OAuth implementations are using security tokens
which expire, meaning the boss will need to keep reentering his Calendar
credentials again and again."

I don't know any one that requires you to enter your password again.
Some require automatic token renewal, and with others (again, an
increasing number, based on what I can see) the token lasts until
revocation.

Matt Flaschen

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l