Suppose I want to use some functionality on foo.com which requires associating my activity with me specifically - for example, posting on a forum, or playing some games and having the site keep track of my wins and losses. Rather than creating a site-specific account or trying to track me by IP, foo.com offers me an option to "authenticate with bar.com", which uses OAuth or OAuth2. I do already have an account at bar.com.

• If I am not already logged in at bar.com, I should always log in separately before attempting to authenticate, correct? There is no way that foo.com can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?

• Similarly, if I believe I'm logged in at bar.com already, but trying the foo.com authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?

• Supposing I am not asked for credentials - how can I verify that I have been properly redirected through bar.com to give permission for authentication?

• When I give bar.com permission to authenticate me to foo.com, how do I know that this won't compromise my bar.com login? What information is actually communicated per the OAuth protocol?

• When I give such permission, typically bar.com will warn me that foo.com wants permission to access (or know) certain information about my bar.com account. How can I be sure that only that information is being transmitted?

• Could foo.com ever gain the ability to modify my bar.com account information?

• Could it happen that the authentication appears to just work without me giving consent on a bar.com interstitial? If that happened, what should I do?

posted 7 months ago

CC BY-SA 4.0

Karl Knechtel‭

156 reputation 4 3 21 5