From a security perspective, this is a horrible idea, adding a completely untrusted intermediary. OAuth.io will technically have access to all of your user data, and any security flaws that they have will impact your service and user data.
Worse than that. You are at the mercy of what service providers think of both them AND all of their clients.
Suppose that they have a customer who uses their service to install malware in people's accounts, and Google catches them. Google isn't going to just shut off one customer. They are going to revoke the client_id associated with OAuth.io, causing every customer to lose access. (A malware author could try this because they would hope that malicious requests are more easily lost inside the torrent of other stuff coming from OAuth.io.)
And it isn't just a customer who is intentionally bad. If a customer gets compromised by a malware author who uses that as a vector, well, same story.
You do not want your access to business-critical APIs to depend on a third party reseller who cannot guarantee their own continued access. Really.
I received an invite to this service today and just checked it out - this is not correct.
You have to generate your own keys for each service, then store them with OAuth.io. This doesn't mean they can't access your users' data, just that there isn't one "master key" that could shut everyone down.
I feel it is made for fast Oauth integration.
We use 4 oauth providers into one of our app, and it took us really 4 full days to implement them without bug. We are not Oauth experts but it was really boring and IMO useless implementation time.
Also I'm personaly making a client-side app on a Github page and it seems that with oauth.io I could make a serverless Facebook/Twitter authenticated app.
I think this is a step backward. The OAuth specs were designed to make it easier to work with different services and now we have to utilize yet another service to communicate with those services?! Via a priority protocol even!
As a developer, I understand the pain when you have to deal with more than a handful of providers but this approach is a no-go IMHO. Would be a better idea to use something like HybridAuth and handle everything from your servers.
Oauth has been made to avoid to store passwords, but it is not a simple protocol to implement.
I just think you are talking here about the main debate between protocol versus applications/platforms.
- Protocols provide standardization, and independance, often as recipe/instructions to follow. Protocols keeps things open, into nodes not hubs.
- Applications/platforms provide easy comsumption, with a user design but also dependancies. It is like a menu to order, as you choose what you want to eat but you don't have to care about how to do it (the recipe). They mutualize things as code librairies, CPU etc... but are hubs, not node and close the network in counterparty of user experience.
To see in depth the difference of design between a recipe and and a menu, more explanations in the Donald Norman book " The Design of Everyday Things"
Edit: To see the difference between a protocol and an application, why people are using Gmail instead of STMP? User experience vs implementation
Nice stuff! Definitely beats using Gigya or Janrain which cost quite a bit. This is the only part we were interested in anyway so...
Are you guys planning on adding services and maintaining the services for regular updates across all these services?
I clicked the login button on your oauth.io site' and I was surprised to see a basic email/password form. Why not use your own product to allow login through Facebook, twitter, github, etc?
Instead, someone should write a simple daemon I can execute http+json REST functions on to create and verify login cookies and transfer them back and forth to the user's browser using my webapp normally.
The daemon can be written in any language as long as it is not a JVM language.
I would write such a thing, but OAuth is somewhat confusing, and OAuth.io brings up a good point, a lot of the existing OAuth implementations are a bit flaky and if I just copy what they do/use them directly I risk inheriting that problem.
So... Where can I find more information on what this is and how it works? There isn't even a description on the website on what oauth.io is, just a small code snippet. Why am I supposed to sign up for something I know nothing about? I was expecting at least a small video that explains how this all works and what it does for me.
From a security perspective, this is a horrible idea, adding a completely untrusted intermediary. OAuth.io will technically have access to all of your user data, and any security flaws that they have will impact your service and user data.