OAuth

If you don’t understand your software, it can never be secure. This is because if there are things you don’t understand in your code, you are destined to misconfigure it, or use it erroneously, opening up your solution to crackers.

OAuth was created to authorise an application to act as an agent on behalf of you within the space of another application. This is known as authorisation. Later authentication was added to it as an afterthought, rendering it ridiculously difficult to understand and configure correctly. To further the insult, it was implemented as a bastardised combination of OAuth and OpenID.

Normally I am all in favour of Open Standards, because they allow us to collaborate with each other, based upon mutual agreements, facilitating for a common platform of understanding each other. However, with OAuth I’ll make an exception, and I’ll publicly state that you shouldn’t use it. It’s simply too complex, has too many moving parts, and is ridiculously difficult to implement correctly. No reasons to use a lunar landing vehicle, when a bike will suffice.

Use JWT for authentication and authorisation please!

Published by servergardens

Create .Net Core CRUD APIs wrapping your SQL database in seconds