Third-party authorization

The best known third-party authorization protocol nowadays is the 2.0 release of OAuth, also known as OAuth2, which supersedes the former release (OAuth 1 or simply OAuth) originally developed by Blaine Cook and Chris Messina in 2006.

We already talked a lot about it for good reasons; OAuth 2 has quickly become the industry-standard protocol for authorization and is currently used by a gigantic amount of community-based websites and social networks, including Google, Facebook, and Twitter. It basically works like this:

  • Whenever an existing user requests a set of permissions to our application via OAuth, we open a transparent connection interface between them and a third-party authorization provider that is trusted by our application (for example, Facebook)
  • The provider acknowledges the user and, if they have the proper rights, responds by entrusting them with a temporary, specific access key
  • The user presents the access key to our application and will be granted access

We can clearly see how easy it is to exploit this authorization logic for authentication purposes as well; after all, if Facebook says I can do something, shouldn't it also imply that I am who I claim to be? Isn't that enough?

The short answer is no. It might be the case for Facebook, because their OAuth 2 implementation implies that the subscriber receiving the authorization must have authenticated himself to Facebook first; however, this assurance is not written anywhere. Considering how many websites are using it for authentication purposes, we can assume that Facebook won't likely change their actual behavior, yet we have no guarantees about it.

Theoretically speaking, these websites can split their authorization system from their authentication protocol at any time, thus leading our application's authentication logic to an unrecoverable state of inconsistency. More generally, we can say that presuming something is from something else is almost always a bad practice, unless that assumption lies upon very solid, well-documented, and (most importantly) highly guaranteed grounds.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.10.45