Posts Tagged - oauth

OAuth 2.0

Authentication process of verifying an identity. We confirm they’re who they say they are. (username & pwd).

Authorization process of verifying what someone is allowed to do. (Permissions and access control).

Past solutions

From worst one to best one and the problems they originate:

Credential Sharing

The worst one. An App is not able to differentiate between real user access and programmatical access.
Permissions are typically too broad. It also the ability to access more content than it should.

We could redirect the user off to the API where they could enter their credentials and get a cookie. This allows an app to access the API.

Dangerous because CSRF attacks. We’ve authorised the whole browser and not the app.

Read More