Last post Oct 23, 2013 10:50 AM by BrockAllen
Oct 23, 2013 07:11 AM|TheNutCracker|LINK
I was reading about OAuth(or is it OpenAuth) recently on Wikipedia and my first impressions of the standard are that it is severely lacking in strong security principles. I wonder if the framework has matured enough to where it is secure enough to be trusted
on any website. I guess one question I would ask is, would be it be safe to implement in a high security environment like a banking system or medical records system, those types of high security systems. Maybe places like PayPal and Amazon where consumers
do a lot of financial transactions. And if nots safe enough and secure enough in those environments should it be used at all merely in the name of convenience? Because the bottom line is that it's all about convenience. That's the whole purpose of an external
login, is it not?
And then you have the issue with the NSA coming into play as well. Are consumers using external logins enough to warrant the implementations? I personally rarely use them, choosing mostly to create my own unique account for each website I visit. If the NSA
wants me to connect all the dots on my life they can forget it. They can do it on their own. I have no interest in doing their job for them. Why? Because I am a criminal? No, because it's none of their damn business. Its pretty much that simple.
So, as a n00b in the realm of this 'external login' phenomenon that is taking the world by storm, at least at the moment, it seems. I wonder if some of you in the know could tell me your thoughts on the current state of things, like how secure the OAuth
2.0 framework is, what alternative frameworks, are out there, how secure are the alternatives and whether or not you think this is a passing fad, or it will be around 10 years from now.
I want to make sure my programming skills are well-rounded and have been hesitant to invest a lot of time in learning these external login frameworks because of the concerns I have raised above.
Microsoft has invested a lot of time in the technology it seems as evidenced in the support they have included in VS2012/2013. So, they clearly think it has a good future. At least that's the conclusion I have made.
Thanks for reading.
Edit: Of course, now that I think about it, Microsoft software is probably under the direct influence of the NSA so the fact that they are heavily supporting external logins may not be all that suprising to me after all.
Oct 23, 2013 10:50 AM|BrockAllen|LINK
External logins makes sense -- a centralized location for authenticaiton where the user can have one very strong password (instead of using the same weak password at 20 different websites). Think about windows and active directory -- that's also a centralized
authentication system and that makes sense.
What you need to evaluate is which centralized login system it makes sent to trust. This will be different for each app. For the bank, they'll want to trust their own, but for the ASP.NET forums then it would make sense to trust facebook or google.
Also, you need to think about what sort of identity information the app needs and who owns the identity. For public websites they generally just need to know it's the same user each time they visis and might not need much other infor than perhaps the user's
name or email. In this scenario the user owns their own idenitty and they can choose to use the identity they want to use (like facebook vs google). But for the bank, the bank website needs the customer info and this identity is owned by the bank, so using
a non-banked owned identity probabaly wouldn't make sense.