@axleyjc@federate.social (Jason Axley) · Jun 11, 2019 · 4:19 PM UTC

@axleyjc@federate.social (Jason Axley)

@axleyjc@federate.social (Jason Axley) @axleyjc

11 Jun 2019

OAuth is for authorization, not authentication OAuth is for authorization, not authentication OAuth is for authorization, not authentication OAuth is for authorization, not authentication OAuth is for authorization, not authentication OAuth is for authorization, not auth'n

Aaron Parecki · Jun 11, 2019 · 4:21 PM UTC

Aaron Parecki · Jun 11, 2019 · 4:21 PM UTC

Aaron Parecki @aaronpk

11 Jun 2019

Replying to @axleyjc

You might enjoy this analogy! developer.okta.com/blog/2019…

7 Ways an OAuth Access Token is like a Hotel Key Card

Learn 7 things OAuth 2.0 access tokens have in common with a hotel key card.

developer.okta.com

Jun 11, 2019 · 4:21 PM UTC

@axleyjc@federate.social (Jason Axley) · Jun 13, 2019 · 3:24 PM UTC

@axleyjc@federate.social (Jason Axley) @axleyjc

13 Jun 2019

Replying to @aaronpk

I like this analogy! A couple things that could make it better, especially for those who misuse/abuse OAuth for authentication:

@axleyjc@federate.social (Jason Axley) · Jun 13, 2019 · 3:25 PM UTC

@axleyjc@federate.social (Jason Axley) @axleyjc

13 Jun 2019

1. Possession of the hotel keycard does *NOT* in any way prove you are the person who checked into the room it grants access to. Nobody should use the keycard to try to figure out who the person is.