[andrewmcwatters]

The most common scenario I can think of is needing to login through a third-party gateway on a first-party site. This is now broken with mainstream browsers, and you need to find another way to do the same thing. I'm not sure what people are doing now, because you can't retain state.

I had my clients just enable it on the browser.

[immibis]

OAuth. You open the login page in a new window with a callback URL. The third party service adds a token to the callback URL, which authorizes you to retrieve the real auth token from that service.

[andrewmcwatters]

I've never seen OAuth replace the scenario of a first-party site allowing user generated content that can embed a third-party site authentication flow. Are people using OAuth for that?

I've only ever seen it for explicitly supported authentication flows by the first-party site.

[moi2388]

The flow is supported by the first party, but the login goes through a third party gateway which sends a token to the callback uri.

I think the previous poster was responding to this:

“I'm not sure what people are doing now, because you can't retain state.”

They do OAuth.

[andrewmcwatters]

That's not what I'm talking about. I'm talking about scenarios where the authentication flow is not explicitly supported by the first party. It just exists through an iframe.

There is no replacement. It's just not possible anymore. OAuth doesn't address this.

[immibis]

Yes, that's right. You can't steal credentials from another site without their permission.

[andrewmcwatters]

No... that's not how that mechanism was ever used. The authentication flow I'm describing was used by companies to embed login flows for functionality that was delivered by iframe as companion behavior next to the first-party site.