[ForHackernews]

> btw OAuth2 spec is insecure by design, it's a known fact.

OAuth2 is only "insecure" in that it relies on TLS for its security: the same as HTTP, IMAP or SMTP. You should never run OAuth2 over a non-HTTPS (i.e. HTTP) connection. The same is true for any other login system.

This is covered in RFC 6819: https://tools.ietf.org/html/rfc6819

[homakov]

Not just that, a couple of other bad decisions that caused made many websites inherently insecure https://sakurity.com/oauth

[machete143]

That is a really bad specification with no examples, no formalization, and zero references.

However, all server-side attack scenarios listed there are not possible with Hydra. Some of them also boil down to misusing OAuth2 for authentication, which is why we have OpenID Connect.

[homakov]

No, ignore the spec (it's just a list of traits i'd like to suggest), design issues are outlined after it.

[ForHackernews]

At a glance, this looks like a proprietary re-invention of of https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-...