Anti-OAuth logo

Anti-OAuth Alliance

Description

OAuth is a subversive family of design concepts that can be utilized to offer an authorization framework for services. This framework encapsulates, but for the most part leaves unspecified, how authentication is to be implemented, while also superficially defining what subsequent stages of trust involve. These concepts have a large attack surface, and when incorrectly combined lead to a slew of issues. These issues are common, and even large companies with experienced developers to implement these concepts, such as Facebook or Github, are known to have repeatedly made mistakes opening up their users or third party developers to attack.

Services providing APIs built upon an OAuth-based foundation are generally insecure or used insecurely, and more importantly, are frequently unable to provide APIs that are usable in most circumstances. We provide two articles elaborating on this:

Despite all the issues, large vendors who are offering non-enterprise services and do not care about their users or third party developers prefer OAuth for their agendas with which OAuth aligns well. Many consultants also prefer it when OAuth is used, as it increases the demand for their consulting services to tame OAuth and provide something remotely secure or usable. Don't be fooled by those pushing OAuth to satisfy their own agendas or who personally benefit from how problematic OAuth is.

Due to all these problems, as a matter of principle, we strongly recommend not to try to build API services upon the flawed authorization concept OAuth is popularizing. It is best to use well understood authentication protocols coupled with well thought out business practices, and leave authorization to administrative menus where it belongs. Below we list some resources that can aid in designing authentication for API services, as well as other components crucial to providing an HTTP-based API.

It is our hope that those developers reading this will aim to understand what they truly want to provide the market with, and avoid the fad and bias currently promoting OAuth. We also hope our readers will tell vendors of services they use that they demand access to something saner and more usable.

The Alliance

Show your support for the Anti-OAuth Alliance by not using OAuth, and convincing others to switch to something better. If you have created good material regarding not using OAuth, write a comment in to us on our most recent article, and we will add a link to your material.

Imagery

Joke about OAuth crippling services

Feel free to use our imagery in any material you create which aims to demote the use of OAuth.

Key problems commonly found with OAuth systems

The problems enumerated below and some workarounds are elaborated upon within our aforementioned OAuth articles.

Recommended Books

Secure Programming Cookbook Cryptography Engineering HTTP Developer's Handbook HTTP: The Definitive Guide Bulletproof SSL and TLS

Other

If you like would like to support the Anti-OAuth Alliance or anything else on Insane Coding, please consider making a donation.

Donate!