OAuth. You open the login page in a new window with a callback URL. The third party service adds a token to the callback URL, which authorizes you to retrieve the real auth token from that service.
I've never seen OAuth replace the scenario of a first-party site allowing user generated content that can embed a third-party site authentication flow. Are people using OAuth for that?
I've only ever seen it for explicitly supported authentication flows by the first-party site.
That's not what I'm talking about. I'm talking about scenarios where the authentication flow is not explicitly supported by the first party. It just exists through an iframe.
There is no replacement. It's just not possible anymore. OAuth doesn't address this.
No... that's not how that mechanism was ever used. The authentication flow I'm describing was used by companies to embed login flows for functionality that was delivered by iframe as companion behavior next to the first-party site.
OAuth. If you take Google as example, You let them sign in with Google through OAuth and then query the user data through the APIs. On-behalf-of/authorization code grant flow.
You can’t do an iframe, but you can still get the data if it’s supported by their api and yours.
I've only ever seen it for explicitly supported authentication flows by the first-party site.