Hacker News new | ask | show | jobs
by jhuckestein 3693 days ago
As much as I love Stevie, teller.io and this demo: Why not both?

OAuth 2 is not "bad" in general, you just need to consider the implications of using it. If you have an API that allows clients to move customers' money or take out loans, you should take additional steps to defend against MITM attacks. For example using client side certificates :)

That said, TAuth looks really good and tidy. Of course the developer may still lose the private key, so in the end you'll always need to additionally monitor API requests for suspicious behaviour.
1 comments
sjtgraham 3693 days ago
Hey Jonas! TAuth is simpler than OAuth 2.0 and doesn't suffer the same security issues. So… why use OAuth?
link
jhuckestein 3693 days ago
The devil you know I suppose ;)

IIRC we didn't go too far down the client cert route because we're behind CloudFlare and we like it that way. Something to revisit in the future.

link
lmm 3693 days ago
The three-legged flow from OAuth is widely needed. (I would agree with sticking to earlier versions that allow more specific tokens though)
link