(www.ducktyped.org)

354 points egonschiele | 1 comments | 25 Aug 25 12:29 UTC | HN request time: 0.281s | source

Show context

homakov ◴[25 Aug 25 15:36 UTC] No.45015012[source]▶

IMO OAuth2 is very poorly designed. It has several structural issues: "Connect this OAuth provider" hijack your main account, redirect hijack allows to leak either auth codes through Referrer or access_token through #hash passing, "state" CSRF token is optional and usually ignored etc

I have an old writeup on that and solution to it https://sakurity.com/oauth - better analyze it with LLM if interested in authorization protocols

replies(1): >>45015919 #

ted_dunning ◴[25 Aug 25 16:53 UTC] No.45015919[source]▶

>>45015012 #

Your comments are so highly abbreviated as to be nearly impossible to understand. I suspect that unintelligibility is leading to it being heavily downvoted.

The addition of the comment about LLMs isn't really helping.

replies(2): >>45016046 #>>45034514 #

1. derangedHorse ◴[27 Aug 25 01:40 UTC] No.45034514[source]▶

>>45015919 #

His comments are also outdated. Browser binding with a separate nonce is standard practice by big identity providers, redirect uris are typically strictly validated, implicit flow without pkce is being phased out, and most browsers protect against a lot of would-be csrf attacks with strict samesite cookie headers.

↑

An illustrated guide to OAuth