0

I am trying to understand in what scenarios I should be using oauth. From reading the spec, I understand that you are essentially delegating identification to a 3rd party.

So if we take the example stackoverflow's login page you get

stackoverflow login

Oauth2 is being used for google and facebook, how do I determine what stackoverflow is using (when entering username and password directly)? Would that also be oauth 2? If it is using oauth, how would I go about understanding which flow they use?

Community
  • 1
  • 1
Ryan-Neal Mes
  • 6,003
  • 7
  • 52
  • 77

3 Answers3

0

Your question is a little unclear but what I think you're asking is if SO or some other site uses oAuth for all their authentication schemes. They could. If they using oAuth with user password authentication when you authenticate, the response you get back should have an Authorization Token and a Refresh Token in it that you would then use to authenticate on each successive request. Hope this helps. oAuth isn't a technology it's a protocol on how to do authentication in a better way.

Carl Lewis
  • 31
  • 1
  • 5
  • Sorry this oauth stuff is pretty confusing for me, I am just trying to figure out what other people do so I can relate it back to my problem. I get that it's a protocol, I am trying to figure out if they are using the protocol and which flow they are using for example - Resource Owner Password Credentials Grant or Implicit Grant etc - Is there any way to tell? – Ryan-Neal Mes Dec 22 '16 at 09:05
  • What is your problem exactly? – Carl Lewis Dec 24 '16 at 06:05
0

See what is the request URL when you click to log in with gmail...

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?client_id%3D717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com%26scope%3Dprofile%2Bemail%26redirect_uri%3Dhttps://stackauth.com/auth/oauth2/google%26state%3D%257B%2522sid%2522:1,%2522st%2522:%2522e35d652c26ae7fad9b61f6176cc93f2eb9bbb240c32231bc95f8270176d7a5d5%2522,%2522ses%2522:%252291fdf487240d4fa38576f780ad448f55%2522%257D%26response_type%3Dcode%26from_login%3D1%26as%3D-8520e47ae71bbb4&oauth=1&sarp=1&scc=1#identifier

Does that auth2 means oauth 2 ? I think so

UPD: As I understand OAuth mechanism is supported by 3-rd part. SO could use their own oauth for direct enter, or standard auttentication. It is up to SO.

Doseke
  • 861
  • 8
  • 15
0

To keep it short and easy:

If you want to add authentication to your application and you want to leave some security heavilifting to big companies like Facebook, Google and Stackoverflow it is generally a good idea if you do not know precisely how to handle such a delicate task and/or you are not using a specific Auth tool / framework.

On the other hand, from the user perspective, the application will be far more user friendly (just one click authorization instead of a painful registration).

If you want a much more detailed technical explanation I suggest you to read this other Stackoverflow post: OAuth 2.0: Benefits and use cases — why?

Community
  • 1
  • 1
Pitto
  • 8,229
  • 3
  • 42
  • 51
  • This makes sense, but let's say I don't want to assume my customers have gmail/twitter/stackoverflow accounts, in order to do the heavy lifting I would need to implement my own identity server correct? I am guessing stackoverflow have their own identity server for their website? Note that I already have auth setup with devise (ruby gem). We are wanting something a bit heavier that allows users to authenticate across all of our platforms at once (single sign on). We also want to protect out APIs etc. – Ryan-Neal Mes Dec 22 '16 at 12:22
  • That is why, as a general idea, all sites now allow you to use a gmail/twitter/stackoverflow account or create a new account in the old fashion way. Is to enhance security / user experience, if it doesn't fit your project's bill simply do not use such a feature. – Pitto Dec 27 '16 at 13:20