Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you'd bothered to read a little more before knee-jerking a reaction comment, you'd know this is only for the authentication flow.


And? What if I want to automate my login flow?


You'll need to find another provider which doesn't care that much about preventing phishing attacks. Google accounts are a big target so it makes sense you move away from the masses.


In practice it just means faking the user-agent and other fingerprinting more enthusiastically. I'm not sure how google can win that without resorting to the same anti-cheat measures as games companies.


You'll try, but the first time you won't know what fingerprinting tests they are going to do. After a few iterations you'll succeed, but it will be obvious to Google that the account you've just been testing it on belongs to someone trying to break their auth restrictions...

Good luck keeping your account!


I did read that; did you know that passing oauth tokens into such automation tools is commonplace?


OAuth tokens used in automation tools will continue to work. Entering in username & password through auth, to automate an OAuth flow (or any other traditionally manual flow) will stop working. Breaks some puppeteer scripts too - but those have been getting flaky for a while now.


Thus making it even more cumbersome for users; now they simply login, in the future they'll have to know how to get the oauth token.


It's OAuth. The application can launch a normal browser for the OAuth flow and have the user complete it.


For plenty of applications the whole purpose is not to run "a normal browser" and possibly not even have it installed.


You can also use a browser on a different device if your thing can't run a browser itself. OAuth covers a large space of options.


They can spit out a url for you to copy into a normal browser, then.


And, OAuth tokens can be revoked meaning scripts will just suddenly fail.


What's your point? Passwords can change and sessions can get invalidated, which all has the same effect.


Yes I would agree with that, except that if you change a password you know the scripts will fail, but if an OAuth token gets invalidated by the system and not you, then it will fail without warning.


And if your password gets reset by the system and not you, same story.

What makes you say oauth tokens are any less robust? Aside from the fact they usually have an expiration attached to them, there's not much difference.


Also fair point.

What makes me say that? Experience.

However, I will say to counter my own point: it’s not all roses. Using password by necessity means that your password is now stored somewhere that is likely more easily compromised (In my case: secure passwords are stored in 1Password, but passwords for script usage are either stored in an ENV or in the script itself, neither of which are great from a security standpoint)




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: