Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use basic auth to get an oauth token #694

Open
carols10cents opened this issue Oct 21, 2012 · 0 comments
Open

Use basic auth to get an oauth token #694

carols10cents opened this issue Oct 21, 2012 · 0 comments
Labels
feature request

Comments

@carols10cents
Copy link
Contributor

From discussion in #692:

@steveklabnik:

One neat thing that we might want to think about in the future is echoing GitHub's authorization API: you can use basic auth to request an oauth token, so you don't have to go through the full oauth dance. :)

@wilkie:

You can use basic auth to acquire an application token. However, the reason this is secure is that the random handshaking oauth uses to ensure no replay attacks can occur is superseded by ssl. So, if you do this, ensure that you check that the credentials are correct AND that the request was made over ssl. This cannot be used on any nodes that elect not to have an ssl cert. :)

@steveklabnik:

Link for the uninformed: http://developer.github.com/v3/oauth/#non-web-application-flow

OAuth would also require ssl, and therefore shouldn't be on any nodes that elect not to have it.

@wilkie:

OAuth is equivalent basically to basic auth + ssl in terms of attack area. You attack the initial handshake for OAuth, or you attack the initial handshake for ssl, and you could see the information passed on subsequent requests. shrug If people elect not to have SSL, OAuth is severely better than nothing, and due to using a random number and an HMAC can be used without SSL. Pessimistically speaking, both approaches are rather broken on a security level, but do obscure passwords in the common case. Also, the government probably has every SSL private key. :) :) :C

@steveklabnik:

I'm pretty sure that the spec says to reject requests that aren't over SSL, and so it won't even work, not 'it's not secure.'

I should really double-check that, though.

@wilkie:

Yeah, totally. It will be insecure if the eavesdropper witnesses the handshake. SSL is broken if the eavesdropper can inject a cert or knows the private key. shrug :) But SSL would solve the problem of witnessing the key exchange at the OAuth layer by pushing the problem down a layer. It is theoretically impossible to solve the key exchange problem, so OAuth placed it out-of-scope and gives responsibility to SSL, which solves it poorly. :D :D :D

OAuth says that SSL MUST be used to get the token_secret, which makes sense, so you'd be correct that it should reject requests not over SSL regardless. Hmm, in that case, is OAuth nothing more than a glorified redirect? I now have newfound lulz over that spec.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@carols10cents