TheJach.com

Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)
Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

On OAuth

This is more of a technical article, but it's pretty concise. Still, if you fear technology, you might want to stop reading, shut off your computer, seal it in cement, and drop it off in the ocean.

OAuth, to put it simply, is a protocol that securely allows users to trust a third party application with their data somewhere else, and never have to give up their password. I discovered the protocol when I was doing some Twitter stuff for work, and I'm quite impressed by it.

I'll give an example of how Starwing (a message board I frequent) might use such a service. Say I made an application that made the forum seem like an email client, namely Gmail. (Gmail organizes emails into "threads", like a message board, but that's as far as it goes without getting into extra details.) So, my client acts like a Gmail reader for Starwing, and allows you to read and, optionally, write new messages.

The obvious way to do this is for my application to request and store your Starwing username and password, then send a background request that actually uses Starwing's login form to log you in behind the scenes. A lot of applications do this, and it's not a horrible idea (especially for a plan B if OAuth went down for some reason), but obviously the passwords must be stored in plain text, that is without any encryption, so if the list was ever compromised then the attacker has the actual passwords to the service.

Another bad thing is that once our email-like application has logged in with the username and password, it can literally do anything, even change the password. Or a bug in the application might do horrendous things to the user, for example posting unwanted messages or deleting itself. And then the user has to worry about the creators of our email application going maverick and putting stuff in to steal the passwords, or if they're stored somewhere in an online database, then simply looking at them.

One way around this requires a good deal of cooperation between the service (Starwing) and our email application. That is, Starwing says it will allow our application to send the irreversible encrypted password hash instead of the plain text one which it encrypts itself to match. A problem with this is that it kills one of the advantages of not knowing what kind of hashing system a service uses, so then the attacker has brute force capabilities. And if the service is cooperating with our application, then chances are our application isn't checked for brute forcing because we'd have so many potential users logging on at the same time, and more users = more forgotten passwords and attempt after attempt. (I sometimes have to through my whole list of passwords for some site if I forget which specific one I used.)

Besides these shortcomings, the application must still store the hashed value somehow, which may be less secure than the service's storage system, and if the attacker has the hash AND the algorithm, it's theoretically over for the user if he has enough computing power to brute force it. An 8 character password has 722,204,136,308,736 possible arrangements, given it uses only characters with a-z, 0-9, and !-). While this would take a very long time for a single computer to go through, a multi-computer botnet could rip through it. If you had a (relatively) small botnet of a million computers, and only had each one try a billion combinations (a matter of seconds), then you're already on the right order of magnitude for the amount of things to crack. (i.e. 100,000,000,000,000.) Decrease the botnet size, increase the amount to test. It doesn't get theoretically impossible for a while, at least with just 8 char passwords. (My 34 character one is essentially resistant to these attacks for its length alone.)

Enter OAuth. Now let's describe what happens when the user wants to authorize our email system access to their account. We set up an account with Starwing to label our application as a third party. We get back two encrypted values called our key and secret that our application uses to verify that we're really us. So now, a user clicks a link in our application, which takes them to Starwing itself. There, they enter their username and password if they're not logged in, and now they're authenticated only on Starwing. They're greeted with an option saying that our application wants to have read and possibly write access to their account. How much our application can read and how much it can write is determined by Starwing itself, though it could also probably be determined by users in some situations. This means that our application could never change things such as a password, or Starwing can have message limits to prevent flooding.

So now what happens when the user clicks their agreement? They're redirected back to some link on our application, along with a few signed hashes that our application then sends back to Starwing, and Starwing then sends us two hashed user tokens, a key and a secret. We store these, and we use them to authenticate to Starwing through OAuth, without ever having access to the user's password.

Now, if anyone has seen the tech news recently, an OAuth vulnerability was discovered. But really it's not much to worry about; it's basically the fact that our application has no automated way of knowing whether the user who clicked our button to start the process is the same who has been redirected by the server. At work we solved this without thinking about it by requiring the user to be logged in to our application before it would accept any OAuth thing. Others though don't use that, and now they're figuring out various ways of guaranteeing that it's the same person. I'm not going to pretend to understand all the cryptology involved.

So, that's OAuth. I think it's pretty sweet, and that every third party application that connects to another third party application should use it. This lets the user be at ease when they give access to their account, since their password is never stored in plain sight.

Posted on 2009-06-12 by Jach

Tags: programming

Permalink: https://www.thejach.com/view/id/2

Trackback URL: https://www.thejach.com/view/2009/6/on_oauth

Back to the top

Back to the first comment

Comment using the form below

(Only if you want to be notified of further responses, never displayed.)

Your Comment:

LaTeX allowed in comments, use $$\$\$...\$\$$$ to wrap inline and $$[math]...[/math]$$ to wrap blocks.


Archives

All posts, ever (405)

RSS Feed: RSS FEED

Selected Posts

Thoughts on Writings on Lisp The Last Choice Jump Game As Interview Problem, Domain Solutions OOP in C with Function Pointers and Structs What is customer trust? Correlation is evidence of causation Absence of Evidence is Evidence of Absence Mesh Current Method A new favorite equation? Mindlessness Meditation Sephira Su Archives

Recent Posts

Japan Trip 4 and 5
2024-02-29
Possible errors and downtime
2024-01-18
Parting is such sweet sorrow
2024-01-14
Leaving a mark
2023-12-20
Keep saying no to unionizing tech
2023-11-21

Recent Comments

@ Anon October 31, 2023 Well, Sapphirus isby Anonymous on Furcadia is Dead
December 18, 2023 03:08 PM
At least this page will remain up. If the siteby Jach on Furcadia is Dead
November 03, 2023 09:35 AM
The forums were closed because Sapphirusby Anonymous on Furcadia is Dead
October 31, 2023 07:16 AM
Just a random internet user passing by. Iby Anonymous on Furcadia is Dead
October 05, 2023 07:04 AM
Welp, guess this thread is now dead. Kind ofby Anonymous on Furcadia is Dead
June 21, 2023 11:00 AM

Tag Cloud

aliens
 (1),

altruism

 (3),

Anarchy

 (14),
anime
 (2),

anti-anarchy

 (3),

artificial intelligence

 (9),
assembly
 (1),

atheism

 (9),
awesome
 (1),
bash
 (1),
basics
 (1),

bayes

 (8),

books

 (8),

business

 (3),

c

 (9),

c++

 (4),
cars
 (1),
circuit analysis
 (2),

clojure

 (13),
cloning
 (2),
cognition
 (2),
college
 (1),
comics
 (1),
computer engineering
 (2),
couchdb
 (1),

cryonics

 (3),
curl
 (1),

daily life

 (15),

databases

 (3),

debate

 (3),
demo
 (1),
design
 (1),
disaster
 (1),

economics

 (3),
evolution
 (2),

existentialism

 (3),
FFP Machine
 (1),

fiction

 (4),

flex

 (5),

fodder

 (31),

food

 (3),
forth
 (1),
FPGA
 (2),

free will

 (4),
french
 (1),
furcadia
 (1),
future
 (1),

games

 (6),
git
 (2),

government

 (33),
grammar
 (1),

hacking

 (3),
HDL
 (1),
hiring
 (2),
history
 (1),
immigration
 (1),

intellectual property

 (9),
italy
 (1),

japan

 (5),

java

 (5),

jMonkeyEngine

 (4),

language

 (5),

learning

 (5),

lisp

 (16),
LucidDB
 (1),
management
 (1),

math

 (25),

memo

 (8),
money
 (1),

morality

 (27),
music
 (1),

nanotech

 (3),
NaNoWriMo2009
 (2),

NaNoWriMo2010

 (3),
nature
 (2),
nim
 (2),
non-cooperation
 (1),

non-violence

 (12),

open source

 (5),
PARODPY
 (1),
patents
 (1),

personal

 (65),

philosophy

 (86),

php

 (9),

physics

 (3),

pithy

 (3),
poetry
 (1),
privacy
 (1),

probability

 (7),

programming

 (100),
psychology
 (2),

pygame

 (3),

python

 (14),
quality
 (1),
quotes
 (1),
race
 (1),

rant

 (33),
rap
 (1),

rationality

 (19),

religion

 (15),

religious thinking

 (4),
response
 (2),

reviews

 (6),
safety
 (1),

school

 (12),
science
 (1),
scifi
 (1),
scripting
 (1),

security

 (3),
services
 (1),
silly
 (2),

singularity

 (6),
soldiers
 (2),
song translation
 (1),
sql
 (1),
statistics
 (2),

stupidity

 (17),

taoism

 (5),
teaching
 (2),
technology
 (2),
testing
 (1),
The Void
 (1),

thought

 (42),
tip
 (2),

tips

 (13),

travel

 (6),

uberman

 (4),
unicode
 (1),
utility
 (2),

vim

 (3),
vtuber
 (2),
words
 (1),
work
 (2),
xml
 (1)

Better Websites

Overcoming Bias Dan Luu's Blog Coyo's Channel 🐺🐾 Hacker News Less Wrong Sequences Gwern's Essays Current Events Moldbug's Essays Paul Graham's Essays Ridiculous Fish Kim Øyhus's Home Page Paul Nylander's Web Site Evo Psych Articles Warp's Rants