
The OAuth Bible - ecesena
https://github.com/Mashape/mashape-oauth/blob/master/FLOWS.md
======
nijiko
Hello! I am the author of this, never expected to see it here! I was extremely
surprised when my friend mentioned it was on here and Hacker News wouldn't let
me comment.

If anyone has questions or any feedback let me know as it is a work in
progress! Thank you for all the kind words!

------
WALoeIII
This is excellent, especially the diagrams.

I'd love to see a explanation of the security implications of each flow. As I
understand it the "most secure" flow is OAuth 1.0a (three-legged), but its a
total pain so it is mostly avoided. OAuth 2.0 is dramatically simpler, but
there are bespoke additions (Google and Facebook come to mind) that you have
to handle, typically in the name of security. I am ignorant of all the
implications and would like a guide.

~~~
ecesena
On (in)security of oAuth implementations:
<http://css.csail.mit.edu/6.858/2012/readings/oauth-sso.pdf>

------
swatkat
@nijiko,

Your posts are appearing as [dead].

 _nijiko 3 hours ago | link [dead]

Hello! I am the author of this, never expected to see it here! I was extremely
surprised when my friend mentioned it was on here and Hacker News wouldn't let
me comment. If anyone has questions or any feedback let me know as it is a
work in progress! Thank you for all the kind words!_

~~~
nijiko
Forgive me for I don't know what this means, I'm new to hacker news

------
phillmv
+1.

I almost wrote this myself last year after reading the spec, but then all the
will to live and relevant details had evaporated from my mind.

It's actually not that hard to understand once you strip the verbose prose.

------
richardjordan
Great work. Thanks for all of this. I can't be the only one who has on more
than one occasion waded through the technical descriptions of this topic and
read code examples and still feels a bit lost, giving up and just using an
existing library and crossing my fingers. I haven't read your entire doc yet
but what I have is very nicely explained.

I think if more people understood it better we would all have a better shot at
consistency in this regard. To that end you've made a great start. Cheers.

------
ejain
Neat! But I've yet to find a place that explains _why_ OAuth requires certain
things (vs stating what is required).

~~~
nijiko
Tell me what pieces you want explained and I will deliver:

nijiko@mashape.com

------
ismaelc
Finally! OAuth flow charts in one place!

------
pepperp
>Excuse me if you may for I wish all to understand this, and not just those
with a degree in understanding legal or technical jargon.

I couldn't understand any of it. If this is meant to be for all, then should I
go back and learn how to switch on a computer?

------
NeMeSYZ
Thanks! Very useful for these days as oauth being implemented more and more.

------
kimsk
Nice. This is really helpful

