Comments on: How Not To Implement A Web Application That Handles External Authentication, Using BeTwittered.com As An Example

By: Marcos Wright Kuhns

Marcos Wright Kuhns — Fri, 10 Dec 2010 15:07:59 +0000

While you're completely right that if a hacker gets your oAuth tokens it could give them the same rights as if they got your username & password, there are additional security and convenience advantages with oAuth. First, the tokens are unique to this site, whereas people often re-use their username & password across multiple services. Second, applications that have a good oAuth implementation will let you selectively revoke oAuth tokens. I could block the hacker who go access to my BeTwittered account while my Tweetings iPhone app, who's oAuth tokens are still secure, will not loose access. If I was forced to change my password, I'd have to re-enter them for every service connected with my Twitter account.

By: used plant machinery

used plant machinery — Tue, 20 Apr 2010 09:04:10 +0000

The opposite most essential factor to consider is the compatibility with the present plant. This needs to be taken care of seriously in any other case it will cost you high. Contemplating these components will assist you arrive at a final determination which is not going to solely save your cost but additionally provide added functionality.

By: Jaisen Mathai

Jaisen Mathai — Thu, 04 Feb 2010 08:56:00 +0000

Consumer secret is what I meant by "private secret". I agree that security by obfuscation is very valid as long as you're aware that's partly what it is. I'm a huge fan of oAuth. It's just that I think it's important not to get to comfortable with anything security related.

By: Nischal Shetty

Nischal Shetty — Thu, 04 Feb 2010 08:52:48 +0000

Umm… not really… you would also need the consumer secret!

Of course, nothing is completely safe, but this can make it a little more difficult

By: Artem Russakovskii

Artem Russakovskii — Thu, 04 Feb 2010 07:45:58 +0000

Thanks, good point, Iain.

By: Jaisen Mathai

Jaisen Mathai — Thu, 04 Feb 2010 07:40:31 +0000

Just wanted to point out that oauth tokens aren't much different than a user's username and password. If you grant an application, on Twitter for example, with read and write access then anyone with the tokens and the private secret can have their way with your account.

This is far better than handing over a username and password but it's important to remember that oAuth alone doesn't solve security problems. It still takes common sense to implement oAuth correctly (albiet some of that is taken care of by the oAuth spec).

Tokens should be treated like passwords that need to be decrypted using salt or other means to secure them.

By: Nischal Shetty

Nischal Shetty — Thu, 04 Feb 2010 05:10:46 +0000

oAuth FTW!

By: Iain

Iain — Thu, 04 Feb 2010 03:15:35 +0000

"note that passing this data in a POST request would change nothing, security-wise"

At least using POST would mean the plain text passwords weren't quite so likely to end up in webserver logs or proxy server logs… But yeah, as the kiddies say "yr doin it wrong!"…

Comments on: How *Not* To Implement A Web Application That Handles External Authentication, Using BeTwittered.com As An Example

By: Marcos Wright Kuhns

By: used plant machinery

By: Jaisen Mathai

By: Nischal Shetty

By: Artem Russakovskii

By: Jaisen Mathai

By: Nischal Shetty

By: Iain

Comments on: How Not To Implement A Web Application That Handles External Authentication, Using BeTwittered.com As An Example