
Understanding OAuth 2.0 and OpenID Connect - abd12
https://blog.runscope.com/posts/understanding-oauth-2-and-openid-connect
======
UncleMeat
> The Implicit flow is designed specifically for mobile apps or client side
> Javascript apps where embedded credentials could be compromised. The
> mechanics are simple in that the application redirects the user to the
> Identity Provider to authenticate, the IdP passes back token(s), and the
> application uses it according to the scopes it has.

Do not use Implicit Grant in mobile apps unless interacting with an app
provider (and even then, Implicit Grant still has some major footguns if you
are using it for authn, which most people are). It was absolutely not
"designed specifically for mobile apps." If you are talking to the browser you
cannot ensure that the access token is delivered to the right place and access
tokens are not bound to the relying party. If you are using the access token
for authn like suggested here, you let malicious apps impersonate your users.

If you are using a mobile app and performing OAuth through the browser, use
Authz Code flow with PKCE.

~~~
adumbledore
It even says so on the official website ( [https://oauth.net/2/grant-
types/implicit/](https://oauth.net/2/grant-types/implicit/) ) - astonishing
that they can't get this right. Maybe says something about the product?

~~~
UncleMeat
Yep. I'm fairly concerned about an identity management company publishing this
information.

~~~
caseysoftware
Author here -

Entirely agree and we recommend using Auth Code+PKCE whenever possible. This
post is intended to be the first of a few starting with the base spec. In the
next one, I plan to go over the RFCs for JWT, Revocation, Inspection, PKCE,
the AppAuth pattern, and probably a few others.

Thanks for the note though.

~~~
rahulrav
Thanks for the shoutout to AppAuth ([https://appauth.io](https://appauth.io)).
It’s our 20% project at Google.

------
billfruit
For someone rather new to HN, is there any reason HN, of for that matter
reddit do not support logging in with third party accounts? Stackoverflow for
example does support them, and whatever may be their downsides, they are
mighty convenient.

~~~
Boulth
I'm definitely not part of the team that works on HN but my impression is that
HN strives to be as simple as possible. I actually like the current
minimalistic username+password scheme. No activation email, no captchas.
What's wrong with that? Not every site needs a NASCAR-like login screen.

~~~
cdcarter
Generally, because managing passwords (both for the end user and for the
server) is difficult, and there's no reason to get into the identity
management business if you don't absolutely need to.

~~~
zie
I understand the reasoning behind this, since it's hard to get right, but if
we offload all of our logins to Facebook,Google and friends, they suddenly get
WAY more information about us. You as site author are giving them access to
all of your users, and you as a user of the site are giving them access to
where you wander on the Internet.

Plus if a breach happens on Facebook or Google, then the hackers get
_EVERYTHING_ including access to your site (as a site author).

So there are definitely downsides to doing social login(s) as well, and it's
not as clear cut as just "let Google and friends do it for me".

~~~
BrandoElFollito
What WAY more information do they get?

They know that I use the site and (to some extend) when.

I am under the (possibly false) poison that the risk is to let the requesting
site (HN here) request to much data from, say, Google (my age, shoe size and
whatever they store about me)

~~~
zie
They get that you use site X (and y,z, and q too) , when you use those sites,
and where you were when you logged in from(i.e. your IP, browser info, etc).

For one site, not a huge issue maybe, unless it's ilovemesome<insert something
disgusting here>.com

But add this up across many, many sites, and they suddenly get loads and loads
more information to sell ads to you with.

~~~
BrandoElFollito
Yes, this is true - but at least in the case of Google this is peripheral
compared to what they have though my browsing (search, email, etc.).

