Hacker News new | ask | show | jobs
by andrewmcwatters 666 days ago
That's not what I'm talking about. I'm talking about scenarios where the authentication flow is not explicitly supported by the first party. It just exists through an iframe.

There is no replacement. It's just not possible anymore. OAuth doesn't address this.
1 comments
immibis 666 days ago
Yes, that's right. You can't steal credentials from another site without their permission.
link
andrewmcwatters 666 days ago
No... that's not how that mechanism was ever used. The authentication flow I'm describing was used by companies to embed login flows for functionality that was delivered by iframe as companion behavior next to the first-party site.
link
moi2388 665 days ago
OAuth. If you take Google as example, You let them sign in with Google through OAuth and then query the user data through the APIs. On-behalf-of/authorization code grant flow.

You can’t do an iframe, but you can still get the data if it’s supported by their api and yours.

Which is the way it should be, imo.

link