OAuth alternative? | ansaurus

tags:

views:

503

answers:

3

Q:

OAuth alternative?

Hi, I have been investigating OAuth to share resources in my site to other sites. But, hole of OAuth specification was reported several days ago. http://oauth.net/advisories/2009-1

Many sites decided to stop OAuth until fixed version is released.

Currently, can we have any alternative to OAuth? I want an open-standard and secure authorization protocol.

A:

What about OpenId?

Daniel A. White 2009-04-29 18:28:18

OpenId is not for authorization but for authentication.

grayger 2009-04-29 18:32:31

+1 A:

OAuth was built because there weren't any existing standards that solved the same problem. A fixed OAuth spec is forthcoming soon. It will be a pretty small change to the existing protocol.

Jonathan 2009-04-30 03:41:45

I agree with Jonathan. We are using Oauth in our system we have high demands for security. Go with Oauth it's a great standard and solution.

Jonas Söderström 2010-01-20 14:44:13

+1 A:

In the short term, your best bet is to fall back on basic authentication mechanisms (requiring users to enter their credentials into your site for the foreign site).

Like Jonathan said, the hole will be fixed soon in the spec.

Terry 2009-04-30 03:56:40

Collecting credentials for foreign sites creates a lot of security problems that are more serious than the bug in OAuth 1.0.

Jonathan 2009-05-01 07:49:31

I think that depends on how you do it, and I'd agree that it has a higher potential for messing up, but the OAuth bug was a pretty serious hole, and until it's fixed there aren't alternatives.

Terry 2009-05-01 20:34:16

related questions

Should unauthorized actions in the UI be hidden, disabled, or result in an error?

Porting JDBCRealm from tomcat to OC4J

Any frameworks on Authentication & Authorization for Windows Form Application?

How to design database for authorization and authentication

ASP.NET MVC Authorization

Custom Rails authentication / authorization

How to handle authorization when using NHibernate in .NET

How to allow authorization to an rss feed using ASP.NET MVC?

Security integration with arcPlan Enterprise

Best way to implement fine-grained authorization for a web application?

Authentication system for ASP.NET web applications?

User Access Checking for Rights on Particular Database Objects or Records

Authorizing REST Requests

Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?

How do you restrict access to a certain user using ASP.NET MVC?

Scalable/Reusable Authorization Model

Forms Authentication Error in WCF

What are the best-practices around resource list authorization?

Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat?

Non-interactive authentication/authorization for XML-RPC?

WCF Service authorization patterns

Managing large user databases for single-signon.

Best way to handle user account authentication and passwords

Best practise to authorize all users for just one page in asp.net

Why do I get the error "Unable to update the password" when calling AzMan?