API-Security-Checklist icon indicating copy to clipboard operation
API-Security-Checklist copied to clipboard

Published 20 hours ago verified publisher icon shieldfy

OAuth referred to as AuthN

Open garthoid opened this issue 1 year ago • 1 comments

This may sound pedantic but I hear it all the time and it leads to confusion about OAuth. OAuth is not an authentication (AuthN) mechanism, it is an authorization mechanism (AuthZ) which relies on an authorization service or identity provider to confirm the identity of the principal. OIDC might be one mechanism to support this.

Please remove OAuth from the line in authentication section: "Don't use Basic Auth. Use standard authentication instead (e.g., JWT, OAuth)."

garthoid avatar Oct 28 '22 14:10 garthoid

@garthoid I don't think it's pedantic at all, they make a clear point on the oauth website:

OAuth is used in a wide variety of applications, including providing mechanisms for user authentication. This has led many developers and API providers to incorrectly conclude that OAuth is itself an authentication protocol and to mistakenly use it as such. Let's say that again, to be clear:

OAuth 2.0 is not an authentication protocol.

Much of the confusion comes from the fact that OAuth is used inside of authentication protocols, and developers will see the OAuth components and interact with the OAuth flow and assume that by simply using OAuth, they can accomplish user authentication. This turns out to be not only untrue, but also dangerous for service providers, developers, and end users.

https://oauth.net/articles/authentication/

tabascoterrier avatar Nov 03 '22 14:11 tabascoterrier

We probably should, in addition, have some kind of definition, or at least clarification, for what exactly we mean by "standard authentication" (or then, there's the question of whether it would be better to have "standard authentication" or "standard authorization" as the recommendation written there in the first place). Given that this is a "checklist" rather than in-depth learning resource or the likes of, presumably done just as a simple link embedded within the recommendation pointing to such a resource, rather than writing such definitions or clarifications into the checklist itself directly. For the benefit of the security-illiterate, for those that don't already know the difference et al, it may provide a stronger point of reference for them to understand why such a change would be implemented in the first place (because I could envision a counter-argument such as "Why even worry about that? The implications and end-results are the same anyway!" arising). (Related to #8).

Maikuolan avatar Nov 06 '22 05:11 Maikuolan

I'm new to GitHub and the open source community, I saw this proposed change and understand what is being requested. Is it ok for me to make the change as a way to get familiar with contributing to open source projects?

mattspiekerman avatar Nov 10 '22 01:11 mattspiekerman