1. 5

I liked Flickr’s now-deprecated hash-the-params authentication because it was simple (though flawed, it is fixable).

Now it seems like most sites are using OAuth 1.0(a) with some using OAuth 2. I hate the complexity and multiple-round-trips required with OAuth, but it seems like it’s widely supported in most languages so implementation for end-developers isn’t that difficult. Though it looks like the OAuth 2 spec is still changing, so is it not recommended yet? I see a few larger sites are using it like Instagram and Reddit.

What is the latest word in vulnerabilities in OAuth related to implementing an OAuth provider?


  2. 4

    Most new APIs I see use OAuth2. Mashape just published a great guide, the OAuth Bible.

    I hate the complexity and multiple-round-trips required with OAuth

    Use the OAuth 2.0 Two-legged flow, which is pretty simple. You can also generate keys for developers automatically, so they don’t have to go through the flow for development.

    1. 3

      I haven’t really messed with it but maybe Mozilla’s Persona is worth checking out. Here’s a nice little read on some security concerns.

      1. 3

        We’ve been debating this on the Diaspora loomio…we’ve come to the general consensus that Persona is not a scalable solution for persistently logged-in user accounts. But a public site like HN might benefit from it, because they wouldn’t need to keep track of passwords (and hash them, keep up to date w/security, etc.) anymore.

        Also, I really like how Github has Basic HTTP auth with your API key and username, as well as OAuth capabilities.

        1. 2

          While I’m a huge fan of Persona, I don’t think it’s viable for API authentication. Persona is all about website authentication and assumes that a human will be logging in via a browser.