It seems to me that even a cursory look at such a security model lets you know that it is not good? Because the credentials are passed directly. This means that any breach anywhere in the entire chain from the storage to the remote endpoint leaks complete authority?
-
-
Show this thread
-
If instead you passed merely a signature of the request signed using the secret, then any breach leaks only the specific token, and not the entire client authority.
Show this thread -
This is actually a non-trivial difference, unless I am missing something. For example, you could put the signing in a secure enclave, and then it would be protected, and still fast since only the signing must operate securely.
Show this thread -
But with the OAuth model, you would have to put the entire application in a secure enclave, from the storage right on down to the part where the HTTPS packet gets encoded, which seems terrible for performance.
Show this thread
New conversation -
-
-
The client credentials flow (which this is) is usually not something that you end up deploying to a web app in my experience, because it only authenticates one person (the holder of the client secret).
-
I don't think any part of OAuth is really a great design though, it's all design by committee garbage that we're stuck with. I much prefer capability based security models.
End of conversation
New conversation -
-
-
I think they just went with the lowest common denominator here by making user-level authorization not part of OAuth protocol. But because API access and authentication is already achieved, they can write authorization and permission logic in a single space. RBAC is one option.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Perhaps it is the only way they found to enforce their aged secret's rules?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
one thing you are missing is OAuth2.0 allows tokens to be validated by other external services with public keys. So I could validate your token from PayPal was actually signed by the PayPal servers. I’m not sure your method allows that
-
What is "my method" in this context? I am strictly referring to the PayPal API, etc., as they currently exist. I have not proposed any method.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.