Post History

Understanding OAuth(2) security: what's a realistic threat model?

Suppose I want to use some functionality on `foo.com` which requires associating my activity with me specifically - for example, posting on a forum, or playing some games and having the site keep track of my wins and losses. Rather than creating a site-specific account or trying to track me by IP, `foo.com` offers me an option to "authenticate with `bar.com`", which uses OAuth or OAuth2. I do already have an account at `bar.com`.

* If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?

* Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?

* Supposing I am not asked for credentials - how can I verify that I have been properly redirected through `bar.com` to give permission for authentication?

* When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?

* When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that *only* that information is being transmitted?

* Could `foo.com` ever gain the ability to *modify* my `bar.com` account information?

* Could it happen that the authentication appears to just work *without* me giving consent on a `bar.com` interstitial? If that happened, what should I do?