|
|
|
|
|
|
by arekkas
3015 days ago
|
|
|
Couldn't agree more with these points. I'd like to point out that > It isn't a bad idea to read and learn from the OAuth 2 spec in order to make your own auth services has actually lead to quite horrible auth systems. I've seen bad stuff in large enterprises due to this ("we're smarter, we'll solve it for our use case" -> "Oops, we didn't think about session replay"). I recommend OAuth2 for complex systems with many involved parties and clients. There it can really reduce complexity. For normal apps with maybe 1-2 consumers, cookie-based security is secure and good enough! |
|
|
Assuming you have fully read and understood the OAuth spec, I find that it can be a helpful resource to identify the more complex considerations that might be easily missed in a home-grown auth implementation.
That being said, in my company's case, I haven't entirely followed my own advice, and we did implement our own OAuth 2 server. But we do know the spec pretty comprehensively.
Edit: if anyone's interested in our particular flavour of the protocol, we have it documented at https://github.com/cuvva/docs/blob/master/apis/auth.md#send_...