Hacker News new | ask | show | jobs
by scrollaway 2041 days ago
If you'd bothered to read a little more before knee-jerking a reaction comment, you'd know this is only for the authentication flow.
2 comments
pjc50 2041 days ago
And? What if I want to automate my login flow?
link
izacus 2041 days ago
You'll need to find another provider which doesn't care that much about preventing phishing attacks. Google accounts are a big target so it makes sense you move away from the masses.
link
pjc50 2041 days ago
In practice it just means faking the user-agent and other fingerprinting more enthusiastically. I'm not sure how google can win that without resorting to the same anti-cheat measures as games companies.
link
jlokier 2040 days ago
You'll try, but the first time you won't know what fingerprinting tests they are going to do. After a few iterations you'll succeed, but it will be obvious to Google that the account you've just been testing it on belongs to someone trying to break their auth restrictions...

Good luck keeping your account!

link
dleslie 2041 days ago
I did read that; did you know that passing oauth tokens into such automation tools is commonplace?
link
ath0 2041 days ago
OAuth tokens used in automation tools will continue to work. Entering in username & password through auth, to automate an OAuth flow (or any other traditionally manual flow) will stop working. Breaks some puppeteer scripts too - but those have been getting flaky for a while now.
link
dleslie 2041 days ago
Thus making it even more cumbersome for users; now they simply login, in the future they'll have to know how to get the oauth token.
link
detaro 2041 days ago
It's OAuth. The application can launch a normal browser for the OAuth flow and have the user complete it.
link
bxk1 2041 days ago
For plenty of applications the whole purpose is not to run "a normal browser" and possibly not even have it installed.
link
detaro 2041 days ago
You can also use a browser on a different device if your thing can't run a browser itself. OAuth covers a large space of options.
link
Dylan16807 2041 days ago
They can spit out a url for you to copy into a normal browser, then.
link
joshspankit 2041 days ago
And, OAuth tokens can be revoked meaning scripts will just suddenly fail.
link
scrollaway 2040 days ago
What's your point? Passwords can change and sessions can get invalidated, which all has the same effect.
link
joshspankit 2040 days ago
Yes I would agree with that, except that if you change a password you know the scripts will fail, but if an OAuth token gets invalidated by the system and not you, then it will fail without warning.
link