undefined | Better HN

0 pointslondons_explore2y ago0 comments

oauth2 was the best practice way to do that back in 2014.

Now, companies like Facebook have discovered the hard way that most users don't think carefully before giving away access to their data. All it takes is one app that says "I'd like access to everything you can see on facebook please", and that's how cambridge analytica happened.

Ever since then, the vast majority of companies have locked down API's - because the company doesn't want to get in legal hot water for the actions of a third party app granted full access by the user.

0 comments

andrewstuart22y ago

That doesn't mean oauth2 isn't still the best practice. I'd go as far as saying OIDC is best practice for oauth2 as well.

What you're saying is orthogonal and more about figuring out how to effectively manage users and the accesses they can grant, how easily they can grant certain permisisons, how often they should review access, all that.

Facebook has had issues there, and I'd say Android has also had issues with similarly vague/permissive grants (local-only, completely outside OAuth2), and has learned ways to proactively manage those for users and keep sets of permissions minimized to apps you actively use/want. But none of those really has much to do with whether or not oauth2 is a great way to allow third party access to user resources. That remains a really solid control mechanism.

j / k navigate · click thread line to collapse

0 pointslondons_explore2y ago0 comments

oauth2 was the best practice way to do that back in 2014.

0 comments

andrewstuart22y ago

That doesn't mean oauth2 isn't still the best practice. I'd go as far as saying OIDC is best practice for oauth2 as well.

j / k navigate · click thread line to collapse