Fragmented technical knowledge Point--oauth protocol

Definition:

• OAuth: OAuth (Open authorization) is an open standard that allows users to authorize third-party websites to access information that they store on other service providers without having to provide their usernames and passwords to third-party websites or to share all the content of their data.
• QQ Login OAuth2.0: For user-related OPENAPI (such as access to user information, dynamic synchronization, photos, logs, sharing, etc.), in order to protect the security and privacy of user data, third-party web site access to user data before you need to explicitly request authorization from users.

Popularity reasons:

• User angle: convenient, fast, safe, a lot of information can be public;
• Small and medium-sized third party websites and application perspectives: OAuth can enable them to get the user's basic information and other information materials and account part of the use of rights;
• Big website Platform angle: OAuth is a perfect solution to the balance between user account security and developer empowerment.

As a result, the OAuth protocol has been identified, including foreign Twitter, Facebook and Google, and other approvals, and then in the country has been effectively followed.

Advantages:

OAuth does not expose third-party websites or apps to users ' account information (such as user names and passwords), but instead of transmitting user information in authorized HTTP communications instead of digital signatures and access tokens (access token), the user's logon information cannot be restored even if the packet is intercepted. This is the biggest advantage of OAuth and the reason why it is becoming the current universal licensing standard.

Disadvantages:

1. Abused OAuth authorization

• OAuth is an Authorization (authorization) protocol, not an authentication (authentication) protocol, and the nature of the authorization itself is equivalent to the system opening a backdoor for third-party websites/applications, and your authorization is to allow them to access your privacy and usage rights through the backdoor.
• Most sites in the domestic one-click landing at all not to distinguish between authentication and authorization, all confused for authorization. What you do with a simple authentication like OpenID does not have to go through authorization.
• The more Sites/apps you authorize, the more sites and apps that have access to your account information and some access to it, which means more pitfalls. Although they do not have access to your account password, although you have never logged in or used them, however, unless you go to hide deep background settings inside to remove their permissions, otherwise they are always able to access your account information and have your account of the partial use rights.
• In a way, OAuth is an invisible window to our personal information security, and the window is permanently open by default.

2. Non-canonical use of OAuth

(1) Platform OAuth deployment not canonical

• The technology varies widely between open platforms, so each platform uses a protocol that is not the same version, with OAuth 1.0, OAuth 2.0, or hybrid technology (and even the continued use of insecure Basic Auth).
• If you look at the domestic open platform development documents will find that although the whole process of OAuth is similar, but for the definition of authorization each family has the standard, the attitude to the developers are different, the restrictions on the authorization is also the standard of each family, the user's account protection is also each has a statement.

(2) Whether the platform audit is carefully

Third-party websites or applications to access the platform need to be audited by the platform, Audit is a layer of the developer's checks. Because of the platform competition reasons, the audit standards are not consistent, the actual operation is not clear. Overall, strong platform constraints strict, weak platform because to attract developers so many things open one eye closed one eye.

(3) Application developers are not self-disciplined

• A significant part of OAuth's security relies on the high degree of self-discipline of the application developer, not the right to apply, but that is not the case.
• Normally, 90% of the apps we use only need read-only access, but instead, only 5% of the apps have read-only permissions. For developer came David, trying to get access to user accounts seems like a "quest", no matter what.

(4) User's non-fortification of OAuth

The implementation of the OAuth protocol is similar to the installation of software under the Microsoft platform, users often in a step-by-step click in the default "authorized", because most users in the country has not yet paid attention to protect their account information and permissions habits.

3. Note the point:

(1) Prevent OAuth fishing landing screen

Notice whether the pop-up window is the official landing domain name, beware of fake fishing.

(2) prior to the authorization to think twice

Before you license your account permissions to an app, check the application developer's specific information and their privacy terms, know who they are authorized to, and who they are granted.

(3) regularly clean up your third-party app license

Be careful to clean up your third-party app authorizations, and remove unauthorised or unused third-party websites or apps, and close that invisible window.

(4) Pay attention to the source after authorization

After authorizing a third-party website or app, be aware that it has been audited by the official platform, and if the source shows from the "not approved app" or a similar typeface, try to cancel the authorization before approving it.

Reference:

http://www.geekpark.net/topics/173252

http://www.geekpark.net/topics/156033

Fragmented technical knowledge Point--oauth protocol