Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Post History

75%
+4 −0
Q&A Understanding OAuth(2) security: what's a realistic threat model?

Suppose I want to use some functionality on foo.com which requires associating my activity with me specifically - for example, posting on a forum, or playing some games and having the site keep tra...

2 answers  ·  posted 8mo ago by Karl Knechtel‭  ·  last activity 5mo ago by matthewsnyder‭

#1: Initial revision by user avatar Karl Knechtel‭ · 2024-04-19T16:29:09Z (8 months ago)
Understanding OAuth(2) security: what's a realistic threat model?
Suppose I want to use some functionality on `foo.com` which requires associating my activity with me specifically - for example, posting on a forum, or playing some games and having the site keep track of my wins and losses. Rather than creating a site-specific account or trying to track me by IP, `foo.com` offers me an option to "authenticate with `bar.com`", which uses OAuth or OAuth2. I do already have an account at `bar.com`.

* If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?

* Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?

* Supposing I am not asked for credentials - how can I verify that I have been properly redirected through `bar.com` to give permission for authentication?

* When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?

* When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that *only* that information is being transmitted?

* Could `foo.com` ever gain the ability to *modify* my `bar.com` account information?

* Could it happen that the authentication appears to just work *without* me giving consent on a `bar.com` interstitial? If that happened, what should I do?