Show HN: OAuth.io released with 70+ providers (opens in new tab)

(oauth.io)

66 pointsthyb12y ago22 comments

22 comments

19 comments · 14 top-level

Titanous12y ago· 2 in thread

Previous discussion: https://news.ycombinator.com/item?id=5777102

From a security perspective, this is a horrible idea, adding a completely untrusted intermediary. OAuth.io will technically have access to all of your user data, and any security flaws that they have will impact your service and user data.

btilly12y ago

Worse than that. You are at the mercy of what service providers think of both them AND all of their clients.

Suppose that they have a customer who uses their service to install malware in people's accounts, and Google catches them. Google isn't going to just shut off one customer. They are going to revoke the client_id associated with OAuth.io, causing every customer to lose access. (A malware author could try this because they would hope that malicious requests are more easily lost inside the torrent of other stuff coming from OAuth.io.)

And it isn't just a customer who is intentionally bad. If a customer gets compromised by a malware author who uses that as a vector, well, same story.

You do not want your access to business-critical APIs to depend on a third party reseller who cannot guarantee their own continued access. Really.

tehwebguy12y ago

I received an invite to this service today and just checked it out - this is not correct.

You have to generate your own keys for each service, then store them with OAuth.io. This doesn't mean they can't access your users' data, just that there isn't one "master key" that could shut everyone down.

1 more reply

sondh12y ago· 1 in thread

I think this is a step backward. The OAuth specs were designed to make it easier to work with different services and now we have to utilize yet another service to communicate with those services?! Via a priority protocol even!

As a developer, I understand the pain when you have to deal with more than a handful of providers but this approach is a no-go IMHO. Would be a better idea to use something like HybridAuth and handle everything from your servers.

Relevant xkcd: http://xkcd.com/927/

Apology to OP if this comment appears to be offensive.

nadiac12y ago

Oauth has been made to avoid to store passwords, but it is not a simple protocol to implement. I just think you are talking here about the main debate between protocol versus applications/platforms.

- Protocols provide standardization, and independance, often as recipe/instructions to follow. Protocols keeps things open, into nodes not hubs.

- Applications/platforms provide easy comsumption, with a user design but also dependancies. It is like a menu to order, as you choose what you want to eat but you don't have to care about how to do it (the recipe). They mutualize things as code librairies, CPU etc... but are hubs, not node and close the network in counterparty of user experience.

To see in depth the difference of design between a recipe and and a menu, more explanations in the Donald Norman book " The Design of Everyday Things"

Edit: To see the difference between a protocol and an application, why people are using Gmail instead of STMP? User experience vs implementation

calebclark12y ago· 1 in thread

I clicked the login button on your oauth.io site' and I was surprised to see a basic email/password form. Why not use your own product to allow login through Facebook, twitter, github, etc?

nodefortytwo12y ago

That is ridiculous.

alpb12y ago· 1 in thread

This is still beta page. I can't see list of 70 providers.

thybOP12y ago

Currently, you just have to sign up to access the full list. We'll add this list for non registered user asap. Thanks for your feedback.

n1cked12y ago

A bit annoying that the site breaks the back button.

jmelul12y ago

Nice stuff! Definitely beats using Gigya or Janrain which cost quite a bit. This is the only part we were interested in anyway so... Are you guys planning on adding services and maintaining the services for regular updates across all these services?

DiabloD312y ago

This is not what I want in an OAuth provider.

Instead, someone should write a simple daemon I can execute http+json REST functions on to create and verify login cookies and transfer them back and forth to the user's browser using my webapp normally.

The daemon can be written in any language as long as it is not a JVM language.

I would write such a thing, but OAuth is somewhat confusing, and OAuth.io brings up a good point, a lot of the existing OAuth implementations are a bit flaky and if I just copy what they do/use them directly I risk inheriting that problem.

Aaronneyer12y ago

Anybody watch the little gif in the corner? Just kind of stared at it for a while, it never seems to end.

edit: Oh, the whole thing isn't a GIF. It just has a looping programmer gif and then puts some text around it. Maybe it will go on forever then :p

edit2: https://oauth.io/js/stubborn.js So definitely does go on forever :p

Avalaxy12y ago

So... Where can I find more information on what this is and how it works? There isn't even a description on the website on what oauth.io is, just a small code snippet. Why am I supposed to sign up for something I know nothing about? I was expecting at least a small video that explains how this all works and what it does for me.

canadev12y ago

I would recommend rolling your own consumers, or using one of the following libraries:

- http://hybridauth.sourceforge.net/ (PHP)

- https://github.com/intridea/omniauth (Ruby)

Anybody have any equivalents for other languages?

hippich12y ago

Nothing really wrong with wanting to make money, but this should be an OSS library instead.. I guess I am too idealistic :)

bobwaycott12y ago

Thanks for breaking my back button.

tiedemann12y ago

I, for one, welcome our new OAuth overlords.

If it works the way it's supposed to I'll be using it for sure.

aymeric12y ago

I can't register on their website using OAuth? Really?

j / k navigate · click thread line to collapse