![[Home]](http://www.bayleshanks.com/cartoonbayle.png)
Note that the purpose of OAuth is to define a process by which an untrusted third pary website T to redirect the user to another website W, asking W to please ask the user to allow T partial access to their account at W.
Apparently you can use it for some other stuff too, but if you want single sign on, maybe try Mozilla Persona or the like.
There's also something called OpenID? Connect which i guess is something built on top of OAuth because OAuth is not completely specified?
In order to achieve a situation where users can securely authorize third party software, without giving over their personal credentials (passwords), I recommend that these services have a page where they can generate new credentials (keys) which the user can copy and paste. They can then name these keys themselves (avoiding application registration hassle), and set permissions upon them themselves. Since the user is the one initiating the key creation, and copying and pasting it themselves, they cannot fall prey to a man-in-the-middle attack where the third party software initiates the authorization process.
But remember the use-cases described here, and ensure that organizations have a way to access all user accounts company-wide, and without individual users being able to disable or limit that access."
mikeknoop 54 days ago
| link |
What's worse is when OAuth providers force the refresh tokens to be refreshed! Many OAuth providers are now requiring user-action (ie. re-walk through the oauth popup) every x months to get new refresh tokens.
...
johns 54 days ago
| link |
The tricky part is for services like IFTTT (where I used to work) and Zapier (where the GP works) where you do want an authorization to be indefinite and not require user interaction because it's a background job. "
