undefined | Better HN

0 pointsq3k5y ago0 comments

Doesn't that issue come from the fact that OAuth2 state mostly lives in GET URL data (redirects/callbacks) and request headers (bearer tokens), vs. POST body (which is something OAuth3 does seem to get right)?

0 comments

marcosdumay5y ago

Yes, and the move into references is a very welcome one. It will solve one of the large bottlenecks for OAuth use.

Still, I'm not sure using references in the crypto data itself is a good thing. You will get more requests, more infrastructure dependency, more metadata tracking, for fixing the bloat of a minor (in size) part of the protocol, and getting cryptographic agility, that is a disagreeable feature at best.

Also, once they have references, why are they adding polymorphism too? Polymorphism is a hack that tries (but fails) to solve the same problem.

q3kOP5y ago

I agree with your points :).

IIUC the 'JSON polymorphism' exists _to_ support handles - so that a field `foo` may either contain directly an object as data, or a string as a handle to that data.

Pet_Ant5y ago

> It will solve one of the large bottlenecks for OAuth use.

Sorry, which bottleneck is that?

marcosdumay5y ago

It breaking at random due to network middle man.

j / k navigate · click thread line to collapse

0 comments

marcosdumay5y ago

Yes, and the move into references is a very welcome one. It will solve one of the large bottlenecks for OAuth use.

Also, once they have references, why are they adding polymorphism too? Polymorphism is a hack that tries (but fails) to solve the same problem.

q3kOP5y ago

I agree with your points :).

IIUC the 'JSON polymorphism' exists _to_ support handles - so that a field `foo` may either contain directly an object as data, or a string as a handle to that data.

Pet_Ant5y ago

> It will solve one of the large bottlenecks for OAuth use.

Sorry, which bottleneck is that?

marcosdumay5y ago

It breaking at random due to network middle man.

j / k navigate · click thread line to collapse