Blog

Oauth2 antipattern (zagorski software tester)

On September 6, 2014, in Syndicated, by Association for Software Testing
0
Credit: http://ocpsoft.org/

Oauth is open standard for authorizations. It enables third party content provider to authorize users to use their services, using user credentials stored in Oauth provider database.

Lets take as example Stackoverflow. You can log in to stack overflow using your Facebook account. Now try next scenario. In incognito mode log in to Stackoverflow using your Facebook account. Go to Facebook.com. You are already logged in to your Facebook account. Did you expect that?

Go to stackoverflow log out page. Wait a minute, what is this rambling on log out page!?

If you’re on a shared computer, remember to log out of your Open ID provider (Facebook, Google, Stack Exchange, etc.) as well.

Click on logout and go to Facebook.com You are still logged in to your Facebook account!

This is security issue, not only if you are using public computer. This is security issue because by logging to Stack overflow, you are also logged to oauth service provider.

Now log out from Facebook account and do the refresh in stackoverflow home page. You are still logged in to stackoverflow.

Dear oauth providers, separate authentication token for third party providers from authentication token for your service, because if you do that, web would be much safer place.

Dear third party oauth service user, please also do automatic logout from oauth service provider application, because you can do that. Notification message in small print will not do the trick.

 

Comments are closed.


Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!