4 Comments

  1. Samuel "Otto" Wood

    I am glad that other people realize how OAuth sucks in extremely specific ways. :)

    Report

    • mark k.

      Yes, but giving user/password info, which has to be stored in plain text, sucks more :) . It is much harder to set up generic service around it, but for the user the advantage is that he can expire the access for a specific service without having to change anything in other services and even without having access to the service to which he wants to deny access.

      Report

      • Otto

        The problem is that OAuth is not designed for something intended to be distributed to users. Basically, to use it, you have to have two web services talking to each other using an account from a third party. It’s poorly designed for use by WordPress plugins, really, because in such a case, there’s no third party. In order to use it effectively, the plugin author has to create and host a separate web service just for relaying authentication credentials around, in order to preserve the “secret” part of the authentication system. Badly designed, basically.

        Storing usernames and passwords is bad, but having to relay all authentication and quite a lot of the messaging through a third-party do-nothing web service isn’t much better, honestly.

        Report

      • mark k.

        Maybe it is just an indication that security wise such “proxy” services are just not a good idea.

        Report

Comments are closed.

%d bloggers like this: