Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Advice - OAuth is Safe?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Holysword
l33t
l33t


Joined: 19 Nov 2006
Posts: 946
Location: Greece

PostPosted: Tue Apr 29, 2014 3:59 am    Post subject: Advice - OAuth is Safe? Reply with quote

What do you guys think about OAuth? How does it work? I have used some applications that magically are able to log in my account without asking the password or username (it asks on the first connection, of course). Is it safe? Does it work like SSH keys? What happens if someone manages to copy my key (the file, that is) then? Honest question.
_________________
"Nolite arbitrari quia venerim mittere pacem in terram non veni pacem mittere sed gladium" (Yeshua Ha Mashiach)
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sat May 03, 2014 12:25 pm    Post subject: Reply with quote

Holysword ...

its more an authentication method (where access tokens are provided to a third party via a service like OpenID). So, not like ssh keys (which doesn't use any service to validate the "key"). As for how secure it is, there has been some controversy relating to the specification, and now (topically) a serious security flaw in OAuth, OpenID [has been] discovered.

best ... khay
Back to top
View user's profile Send private message
Holysword
l33t
l33t


Joined: 19 Nov 2006
Posts: 946
Location: Greece

PostPosted: Fri May 09, 2014 5:51 pm    Post subject: Reply with quote

khayyam wrote:
Holysword ...

its more an authentication method (where access tokens are provided to a third party via a service like OpenID). So, not like ssh keys (which doesn't use any service to validate the "key"). As for how secure it is, there has been some controversy relating to the specification, and now (topically) a serious security flaw in OAuth, OpenID [has been] discovered.

best ... khay

Thank you for replying. I tried to compare with SSH because I can also log in remotely to some trusted servers using SSH, without entering username or password.
So as far as I understood, OAuth basically gives all the access for a website to perform all the authorised actions, regardless if I am online or not, regardless if I have asked for that specific action at that specific time or not. It means that if the authorised website is attacked somehow, the attacker has control over all the authorised actions regardless if I have asked for that specific action at that specific time or not. Is that correct? If so, that does not sound like a bad idea... it sounds more like shooting your own head twice.
_________________
"Nolite arbitrari quia venerim mittere pacem in terram non veni pacem mittere sed gladium" (Yeshua Ha Mashiach)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum