Readit News logoReadit News
Posted by u/ash a year ago
Next.js and the corrupt middleware: the authorizing artifactzhero-web-sec.github.io/r...
ash commented on Tailscale is pretty useful   blog.6nok.org/tailscale-i... · Posted by u/thm
yamrzou · a year ago
Is there an alternative to Tailscale with a lower memory footprint? I wanted to run Tailscale on a small router, but it failed due to out-of-memory (OOM) issues.
ash · a year ago
Have you tried "Smaller binaries" instruction? https://tailscale.com/kb/1207/small-tailscale
Posted by u/ash a year ago
Ladybird browser update (January 2025) [video]youtube.com/watch?v=-l8ep...
ash commented on OpenAUTH: Universal, standards-based auth provider   openauth.js.org/... · Posted by u/jacobrussell
portaouflop · a year ago
> Even redirects aren't necessary if OAuth is implemented in a browser-less or embedded browser fashion, e.g. SFAuthenticationSession

Can you please expand on that or give me some hints what to look at? I have never heard of this before and I work with Oauth2 a lot.

When I look for SFAuthenticationSession it seems to be specific to Safari and also deprecated.

I always share this article because people overimplement OAuth2 for everything, it’s not a hammer: https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cas...

ash · a year ago
The article by Ory's Aeneas Rekkas perfectly describes OAuth / OIDC problems. The only thing it misses is the suggestion for the alternative protocol for first-party auth. It does suggest that it's preferable to use simpler systems like Ory Kratos. But OAuth / OIDC is a set of protocols, not an implementation. Is there an a effort to specify simple auth protocol, when third-party auth is not needed?
ash commented on OpenAUTH: Universal, standards-based auth provider   openauth.js.org/... · Posted by u/jacobrussell
igor47 · a year ago
What's wrong with tokens in local storage?
ash · a year ago
Less secure that HttpOnly cookies, which are not accessible by third-party JavaScript. LocalStorage also doesn't have automatic expiration.
ash commented on OpenAUTH: Universal, standards-based auth provider   openauth.js.org/... · Posted by u/jacobrussell
ash · a year ago
Cool project!

OAuth-based auth providers are nice, but they can have a weakness. When you have just one app, OAuth can be overkill: protocol is complex, and users suffer jarring redirects¹.

This is not surprising, because OAuth / OIDC is fundamentally designed for (at least) three parties that don't fully trust each other: user, account provider and an app². But in a single app there are only two parties: user and app itself. Auth and app can fully trust each other, protocol can be simpler, and redirects can be avoided.

I'm curious what OpenAUTH authors think about it.

¹ Except for Resource Owner Password Credentials (ROPC) grant type, but it's no longer recommended: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-secur...

² In addition, OAuth is mostly designed for and by account providers, and follows their interests more than interests of app developers.

ash commented on Is String Theory dead? [video]   youtube.com/watch?v=8JYwm... · Posted by u/ash
gnabgib · a year ago
Related & referenced String theory is not dead (11 points, 22 days ago, 5 comments) https://news.ycombinator.com/item?id=42223650
ash · a year ago
Thank you! The video is a criticism of that article.
Posted by u/ash a year ago
Is String Theory dead? [video]youtube.com/watch?v=8JYwm...
Posted by u/ash a year ago
This Month in Ladybird – November 2024ladybird.org/newsletter/2...
a

u/ash

KarmaCake day5034January 12, 2008View Original