undefined | Better HN

0 pointsmarcosdumay5y ago0 comments

I have personally faced plenty of problems caused by the OAuth2 large wire size.

The web is full of middle boxes with crazy limitations. And OAuth2 is very good of triggering each one of them. They are also mostly unique, not under the control of the ends, and often transient, so they most often aren't even understood, the problem is just assumed unsolvable. That alone is a big limitation that stops people from using OAuth2.

That said, I have never seen a case where crypto data was the cause of the bloat. Its size is so small when compared to everything else that I'm not sure why anybody would even look at it. And indeed, the rationale I found on the site is about cryptographic agility... what is interesting because you will find plenty of people claiming that this is an anti-feature that will harm security much more than help.

0 comments

q3k5y ago

Doesn't that issue come from the fact that OAuth2 state mostly lives in GET URL data (redirects/callbacks) and request headers (bearer tokens), vs. POST body (which is something OAuth3 does seem to get right)?

marcosdumayOP5y ago

Yes, and the move into references is a very welcome one. It will solve one of the large bottlenecks for OAuth use.

Still, I'm not sure using references in the crypto data itself is a good thing. You will get more requests, more infrastructure dependency, more metadata tracking, for fixing the bloat of a minor (in size) part of the protocol, and getting cryptographic agility, that is a disagreeable feature at best.

Also, once they have references, why are they adding polymorphism too? Polymorphism is a hack that tries (but fails) to solve the same problem.

q3k5y ago

I agree with your points :).

IIUC the 'JSON polymorphism' exists _to_ support handles - so that a field `foo` may either contain directly an object as data, or a string as a handle to that data.

Pet_Ant5y ago

> It will solve one of the large bottlenecks for OAuth use.

Sorry, which bottleneck is that?

1 more reply

ldng5y ago

What do you use instead of OAuth2 yourself ?

marcosdumayOP5y ago

The alternative to OAuth2 is usually not centralizing auth (both kinds).

But I do use it.

franga20005y ago

How is OAuth centralizing auth? It's generally used for one of two things: 1) Single Sign-On - something that generally increases the security of applications under one organization, where authentication has to be shared one way or another, and 2) "social login" - something that takes a website from being its own and only auth provider to supporting multiple external providers.

2) is the exact opposite of centralization and 1) is basically equivalent to dynamic linking which, while "centralization" in theory, is generally considered a good security practice.

1 more reply

j / k navigate · click thread line to collapse

0 pointsmarcosdumay5y ago0 comments

I have personally faced plenty of problems caused by the OAuth2 large wire size.

0 comments

q3k5y ago

marcosdumayOP5y ago

Yes, and the move into references is a very welcome one. It will solve one of the large bottlenecks for OAuth use.

Also, once they have references, why are they adding polymorphism too? Polymorphism is a hack that tries (but fails) to solve the same problem.

q3k5y ago

I agree with your points :).

IIUC the 'JSON polymorphism' exists _to_ support handles - so that a field `foo` may either contain directly an object as data, or a string as a handle to that data.

Pet_Ant5y ago

> It will solve one of the large bottlenecks for OAuth use.

Sorry, which bottleneck is that?

1 more reply

ldng5y ago

What do you use instead of OAuth2 yourself ?

marcosdumayOP5y ago

The alternative to OAuth2 is usually not centralizing auth (both kinds).

But I do use it.

franga20005y ago

2) is the exact opposite of centralization and 1) is basically equivalent to dynamic linking which, while "centralization" in theory, is generally considered a good security practice.

1 more reply

j / k navigate · click thread line to collapse