Does anyone care about open security protocols?

Although I don’t consider myself a security expert, in last few weeks my paths have crossed with some open security standards / protocols / initiatives (call’em whatever you&...

5 years ago

Latest Post How does Dunning–Kruger effect impact collaboration in tech teams by Sebastian Gebski

Although I don’t consider myself a security expert, in last few weeks my paths have crossed with some open security standards / protocols / initiatives (call’em whatever you’d like): namely OATH (http://www.openauthentication.org/) and OAuth 2.0 (http://oauth.net/).

Regardless of the fact that those two are frequenly confused with each other, they have one thing in common - they just don’t play their role (anymore)…

Should we care (or even worry)?

  1. In case of OATH personally I don’t care - the only point in open standard for strong authentication is to keep small token vendors in-game (if they are standard compliant). But is there a direct benefit to the ones who are supposed to use the tokens or own secured systems? I don’t think so.
  2. In case of OAuth 2.0 it’s a little bit different - it seemed like a great idea to easily “outsource” the authorization to external, trusted party - sadly it has it’s flows, so each of such providers had to implement their own “flavours” (obviously not standardized).

I still believe that OAuth 2.0 can be saved with additions like OpenID Connect (http://openid.net/connect/), but there’s nothing for granted.

P.S. If you’re interested in OAuth 2.0, try new Pluralsight course named “Introduction to OAuth 2.0, OpenID Connect and JSON Web Tokens (JWT)” by Dominick Baier (http://pluralsight.com/training/Courses/TableOfContents/oauth2-json-web-tokens-openid-connect-introduction).

Sebastian Gebski

Published 5 years ago

Comments?

Leave us your opinion.

Subscribe our newsletter

Recieve news directly to your email.

No Kill Switch © 2018.