Should I bother implementing OAuth authentication, noting the security issues?

Freakish_05 · 2 Apr 2013 at 09:44

Hello everyone!

It's been a while since I've posted in HG&P, I hope you're all well.

I'm just starting out on a new project and as always, security is the first thing on my mind. I've got the standard user registration / login sorted out and I was also considering adding in Social Authentication via HybridAuth to let users sign in with their Facebook / Twitter / Google / etc account.

I then stumbled across web articles like http://www.breaksec.com/?page_id=6002 and others claiming that there are massive security holes in OAuth2.

My key question is, are there any security issues for me as a consumer of OAuth2?

Thanks in advance

GravyMonster · 2 Apr 2013 at 10:09

I don't know specifically about the security holes, but personally I find having to create an account with a specific site a massive PITA and will make me look elsewhere. Just being able to click a 'Login with Google account' button is a massive plus for any services and will get you more users IMO.

Dj_Jestar · 2 Apr 2013 at 10:19

Conversely, I prefer keeping things separate

Down the middle road and offering both options is probably best.

Again, absolutely not related to the actual question

Freakish_05 · 2 Apr 2013 at 10:27

Thanks for the replies both.

The design route that I've chosen will cater for both 'Registered' users and 'Social' users. Making it easy for people to 'login with google' but also allow people to create a new account if, like me, they don't want to let 'random website z' have access to their precious facebook photos.

My concern is more around whether my app is exposed in any way by allowing 'social' authentication. By the sounds of it, it's not, so I'll plow on regardless and be ready to comment out code if someone comes up with a showstopper

GravyMonster · 2 Apr 2013 at 11:40

From reading those articles, the holes lie in FB (or whoever the OAuth provider is), so your site would be safe. All you're doing effectively is passing them the user credentials, and they give you a yes or a no back.

As said DJ said, the best way forward would be to offer local and remote authentication.

fez · 2 Apr 2013 at 14:24

There are no security holes in the oauth 2 implementation as far as I know. There have been a number of sensationalist articles that claim as much but it seems to have all originated from a bit of a rant from one of the people involved in oauth from 1 onwards.

Oauth1 was very locked down, tricky to implement and usually implemented really poorly by the providers. The upside was that the specification meant that security was very good.

Oauth 2 is a lot more open but much easier to implement and use for both sides of the equation. The problem as far as I understand comes from this open nature. You have to implement certain things for oauth2 but a lot of the security is left to the provider to implement as they see fit.

As with a lot of the web, the wrong people were responsible for a lot of the decisions and large companies bent the spec to their own desires. What you have to remember is that facebook, twitter, linkedIn and co will not want to have a security breach. They would not implement a system that is easily abused and misused or they would lose all trust.

I have just implemented oauth for linkedIn, facebook and twitter and as luck would have it, as soon as I finished my oauth 1a implementation for linkedIn, they enabled their oauth 2 process. What took me a week to get sorted in oauth 1 took about 4 hours in oauth 2.