
Show HN: OAuth.io released with 70+ providers - thyb
https://oauth.io
======
Titanous
Previous discussion:
[https://news.ycombinator.com/item?id=5777102](https://news.ycombinator.com/item?id=5777102)

From a security perspective, this is a horrible idea, adding a completely
untrusted intermediary. OAuth.io will technically have access to all of your
user data, and any security flaws that they have will impact your service and
user data.

~~~
btilly
Worse than that. You are at the mercy of what service providers think of both
them AND all of their clients.

Suppose that they have a customer who uses their service to install malware in
people's accounts, and Google catches them. Google isn't going to just shut
off one customer. They are going to revoke the client_id associated with
OAuth.io, causing every customer to lose access. (A malware author could try
this because they would hope that malicious requests are more easily lost
inside the torrent of other stuff coming from OAuth.io.)

And it isn't just a customer who is intentionally bad. If a customer gets
compromised by a malware author who uses that as a vector, well, same story.

You do not want your access to business-critical APIs to depend on a third
party reseller who cannot guarantee their own continued access. Really.

~~~
tehwebguy
I received an invite to this service today and just checked it out - this is
not correct.

You have to generate your own keys for each service, then store them with
OAuth.io. This doesn't mean they can't access your users' data, just that
there isn't one "master key" that could shut everyone down.

~~~
btilly
Thanks for the correction.

In that case, I fail to see the value add that they claim to provide.

~~~
nadiac
I feel it is made for fast Oauth integration. We use 4 oauth providers into
one of our app, and it took us really 4 full days to implement them without
bug. We are not Oauth experts but it was really boring and IMO useless
implementation time.

Also I'm personaly making a client-side app on a Github page and it seems that
with oauth.io I could make a serverless Facebook/Twitter authenticated app.

~~~
sondh
Facebook and Twitter OAuth implementations both support response_type=token
for serverless authorization.

------
sondh
I think this is a step backward. The OAuth specs were designed to make it
easier to work with different services and now we have to utilize yet another
service to communicate with those services?! Via a priority protocol even!

As a developer, I understand the pain when you have to deal with more than a
handful of providers but this approach is a no-go IMHO. Would be a better idea
to use something like HybridAuth and handle everything from your servers.

Relevant xkcd: [http://xkcd.com/927/](http://xkcd.com/927/)

Apology to OP if this comment appears to be offensive.

~~~
nadiac
Oauth has been made to avoid to store passwords, but it is not a simple
protocol to implement. I just think you are talking here about the main debate
between protocol versus applications/platforms.

\- Protocols provide standardization, and independance, often as
recipe/instructions to follow. Protocols keeps things open, into nodes not
hubs.

\- Applications/platforms provide easy comsumption, with a user design but
also dependancies. It is like a menu to order, as you choose what you want to
eat but you don't have to care about how to do it (the recipe). They mutualize
things as code librairies, CPU etc... but are hubs, not node and close the
network in counterparty of user experience.

To see in depth the difference of design between a recipe and and a menu, more
explanations in the Donald Norman book " The Design of Everyday Things"

Edit: To see the difference between a protocol and an application, why people
are using Gmail instead of STMP? _User experience vs implementation_

------
n1cked
A bit annoying that the site breaks the back button.

------
jmelul
Nice stuff! Definitely beats using Gigya or Janrain which cost quite a bit.
This is the only part we were interested in anyway so... Are you guys planning
on adding services and maintaining the services for regular updates across all
these services?

------
calebclark
I clicked the login button on your oauth.io site' and I was surprised to see a
basic email/password form. Why not use your own product to allow login through
Facebook, twitter, github, etc?

~~~
nodefortytwo
That is ridiculous.

------
DiabloD3
This is not what I want in an OAuth provider.

Instead, someone should write a simple daemon I can execute http+json REST
functions on to create and verify login cookies and transfer them back and
forth to the user's browser using my webapp normally.

The daemon can be written in any language as long as it is not a JVM language.

I would write such a thing, but OAuth is somewhat confusing, and OAuth.io
brings up a good point, a lot of the existing OAuth implementations are a bit
flaky and if I just copy what they do/use them directly I risk inheriting that
problem.

------
Aaronneyer
Anybody watch the little gif in the corner? Just kind of stared at it for a
while, it never seems to end.

edit: Oh, the whole thing isn't a GIF. It just has a looping programmer gif
and then puts some text around it. Maybe it will go on forever then :p

edit2: [https://oauth.io/js/stubborn.js](https://oauth.io/js/stubborn.js) So
definitely does go on forever :p

------
Avalaxy
So... Where can I find more information on what this is and how it works?
There isn't even a description on the website on what oauth.io is, just a
small code snippet. Why am I supposed to sign up for something I know nothing
about? I was expecting at least a small video that explains how this all works
and what it does for me.

------
alpb
This is still beta page. I can't see list of 70 providers.

~~~
thyb
Currently, you just have to sign up to access the full list. We'll add this
list for non registered user asap. Thanks for your feedback.

------
canadev
I would recommend rolling your own consumers, or using one of the following
libraries:

\- [http://hybridauth.sourceforge.net/](http://hybridauth.sourceforge.net/)
(PHP)

\-
[https://github.com/intridea/omniauth](https://github.com/intridea/omniauth)
(Ruby)

Anybody have any equivalents for other languages?

------
hippich
Nothing really wrong with wanting to make money, but this should be an OSS
library instead.. I guess I am too idealistic :)

------
bobwaycott
Thanks for breaking my back button.

------
tiedemann
I, for one, welcome our new OAuth overlords.

If it works the way it's supposed to I'll be using it for sure.

------
aymeric
I can't register on their website using OAuth? Really?

