Hacker News new | comments | show | ask | jobs | submit login

How does using bare api keys over TLS compare to these suggestions? It's less secure but is it still a recommended option?



The advantage to OAuth over basic-auth is that you can delegate the credentials, which is to say you can set up your system so that users can give a limited-use credential to a 3rd party application to perform API calls on their behalf.

Some very large services have abused OAuth to "delegate" credentials to mobile devices, which has set up the expectation among developers that OAuth is the "sophisticated" way of doing all-around credential management of any sort. Not so. If you don't have delegation to third parties, don't use OAuth.

Most applications do not need delegation.

If you need delegation, there are simpler ways to do it than OAuth that won't meaningfully sacrifice the security of your controls. At the same time, using an OAuth solution you don't fully understand (for instance, using OAuth through a high-level library that hides the details from you) can damage the integrity of your whole application by creating new classes of mistakes for you to make.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: