
Designing an Authentication System: A Dialogue in Four Scenes (1988) - Tomte
https://web.mit.edu/kerberos/dialogue.html
======
elblanko
OpenId, OAuth, et al are similar to Kerberos: Using a central authentication
server to issue tokens that are trusted for authentication to a third party.
OAuth seems a little bit weaker compared to Kerberos since there is no mutual
authentication, instead we tend to rely on HTTPS for this.

~~~
yaseen-rob
Last time I checked we had TLS Client Certificates and TLS Certificate
Pinning. So yes, we do have mutual auth. Additionally, OAuth2 is not an
authentication flow.

~~~
news_to_me
> Additionally, OAuth2 is not an authentication flow.

I've heard this before, but tbh I'm not familiar enough with auth systems to
see why it's true. I've certainly used "login with Facebook", etc. as an
alternative to email/password login for sites I've created in the past, and
I've seen others do so.

Do you mind elaborating?

------
amaccuish
FYI this is Kerberos 4, most kerberos uses preauthentication now, so the
whole, try to decrypt the ticket and see if it works isn't a thing now.

