|
|
|
|
|
|
by dennish00a
5306 days ago
|
|
|
I just need to add my voice to the chorus: OAuth really, really sucks. I don't understand what problem it solves. A malicious app (native or web) can find a way to get your password, period. A well-behaved app can have your password and do no harm. And, practically speaking, I don't know any real person who's had a problem that has been solved by the existence of OAuth. OAuth is just a massive pain in the rear end. |
|
|
The most obvious advantage is the app doesn't have to learn the users new password when they change passwords.
But you're right, the whole dance of having the app never `touch` the user's password is bullshit, a pretense cooked up by bureaucracy. You could get all the meaningful functionality of Oauth by letting apps request a single "permission key" when they login - with the user's password. On the other hand, if a site want real, meaningful security, it could give each user a seperate "app password" that they authorized apps with. That would provide real protection - but since it requires one teentsy extra step for the end user, it will never, ever fly.