Hacker News new | past | comments | ask | show | jobs | submit login

Can you explain why OAuth is not for authentication? What does it not do that you expect an authentication system to do? What is fundamentally wrong with every site that allows me to sign in with a github/google/facebook account (via OAuth)?



Contrast that with the following scenario.

Alan has a web application that shows you all funny tweets. In order to see those tweets you must first create an account.

Username/Pass

You pick a username, you enter a password. That combination is attached to Alan WebApp UserID: 12345

Everytime you login with that username and password combination, you get back Alan WevApp UserID 12345.

Google Login

You click the "Login with Google" button.

It redirects you to say "Do you want to associate your google account with Alans Web App?"

You click yes.

Google ID: XYZZY is returned. That id is tied to Alan WebApp UserID 12345.

The next time you go to login, Google returns "This is Google ID: XYZZY". Alan WebApp finds the association XYZZY with Alan WebApp 12345.


> What is fundamentally wrong with every site that allows me to sign in with a github/google/facebook account (via OAuth)?

That is a inaccurate statement.

Those sites allow you to login with your Github/Facebook/Google Accounts. That isn't OAuth. Those sites also use OAuth in order to let 3rd party applications access the users data stored on that system.

Take this Scenario

Alan has a service that finds funny tweets. cpitman wants to use Alan's service, to find his funny tweets.

No OAuth Example:

cpitman gives Alan service his Twitter Username and Password.

Alan service logs into Twitter, and pulls twitter data.

With OAuth:

Alan service opens a request to Twitter asking for twitter data for cpitman

Alan service redirects cpitman to Twitter

Twitter notifies cpitman that Alan Service wants to access twitter data

cpitman agrees

Twitter passes back a token

Alan service uses token to access cpitman twitter data.


but the email ID he used to register at Twitter is also one of resources associated with his account and can be accessed as Twitter Data?

(beginner here, trying to understand why not use OAuth for Identification/Authentication)


People usually use OpenID for that bit and OAuth for the authorisation to use the third party APIs as the customer. There's nothing horribly wrong with third-party signin if it suits you and for smaller projects however it does limit your relationship with customers and tie you in to third party services which might be charged for or shut down at any time, so it's not ideal for many websites. It depends on your requirements.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: