undefined | Better HN

0 pointshsbauauvhabzb3y ago0 comments

I think this is a fairly elitist view and I disagree.

I work in application security and still have trouble understanding all the behaviours of oauth and oidc, even after reading the specs multiple times.

If I can’t understand it fully, how are you going to expect some developer who has no security or crypto background implement it correctly when nobody is there to validate the implementation?

I feel like the oauth/oidc are insecure not because of the core logic, but because the design and terminology aren’t easily understood - that complexity IS a vulnerability.

0 comments

1 comments · 1 top-level

brabel3y ago

My comment was pointing out mistakes in the claims from OP, I am not sure how you can interpret that as elitist. You may have read something into my comment that I did not say. For example, I didn't say OAuth is simple (though I am still to see a security framework that's better/simpler for the use cases OAuth sets out to solve).

j / k navigate · click thread line to collapse