Posts tagged 'standards'

  • Why is there no authentication in OAuth?

    Why is there no authentication in OAuth?
    Dan Moore  |  Jun 14th, 2022

    OAuth, a standard for securely delegating authorization information, and OIDC, a profile written on top of it to securely transmit user profile data, both rely heavily on authentication of the user (also known as the ‘resource owner’) at the authorization server. The authorization server issues tokens only after the user has been authenticated to its satisfaction.

    However, there is next to no guidance about how to actually authenticate the user. Should I use a username and password? A magic link? Delegate to a third party? Require a TOTP code?

    This question came up in a discussion amongst the FusionAuth team and I thought it was worth digging into a bit more.

    Why exactly is ‘authentication’ undefined in OAuth/OIDC?

    READ MORE
  • How to Protect Your Organization From Auth Vendor Lock-in

    How to Protect Your Organization From Auth Vendor Lock-in
    Cameron Pavey  |  Jul 12th, 2021

    Years ago your team decided to use a third-party auth system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.

    READ MORE
  • Why use a standardized auth protocol?

    Why use a standardized auth protocol?
    James Hickey  |  Jun 10th, 2021

    Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.

    READ MORE
  • What's Wrong With the OAuth2 Implicit Grant?

    What's Wrong With the OAuth2 Implicit Grant?
    Brian Pontarelli  |  Apr 29th, 2021

    The Implicit grant is part of the OAuth 2 RFC, but is one of the features omitted in the OAuth 2.1 specification. With this grant, you don’t have to write server side code. Instead of having to exchange an authorization code for an access token, you are provided an access token on redirect.

    READ MORE
  • GNAP, the next generation of OAuth

    GNAP, the next generation of OAuth
    Dan Moore  |  Jan 7th, 2021

    The Grant Negotiation and Authorization Protocol, also known as GNAP, is currently being formulated in an IETF working group. This protocol will not be backward compatible with OAuth2. However, since it is a new major auth standard and is currently in development, you should give it some attention.

    READ MORE
  • What's new in OAuth 2.1?

    What's new in OAuth 2.1?
    Dan Moore  |  Apr 15th, 2020

    Hey look! OAuth is getting spiffed up a bit. The original OAuth 2.0 specification was released in October 2012 as RFC 6749. It replaced OAuth 1.0, released in April 2010. There have been some extensions over the years. A new OAuth specification has been proposed and is currently under discussion. As of this blog post’s writing, the specification was most recently updated on March 8, 2020. If approved, OAuth 2.1 will obsolete certain parts of Oauth 2.0 and mandate additional security best practices. The rest of the OAuth 2.0 specification will be retained.

    READ MORE