Talk:OAuth

== The quote in paragraph 1 " OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user. " is not always true ==

The quote "OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user." is not true for all OAuth grant types. In fact, the whole purpose of the "client credentials grant type" is for a client server to access resource server data that is NOT tied to a specific owner or end-user. (see https://tools.ietf.org/q/rfc6749#section-1.3.4 and https://tools.ietf.org/html/rfc6749#section-4.4 jmanico (talk) 2 August 2015 — Preceding undated comment added 20:59, 3 August 2015 (UTC)

Agreed. It does not have to be third-party either. A lot of first-party apps are also leveraging OAuth. Perhaps it could read such as "OAuth grants access to the applications that requested through access tokens and refresh tokens when appropriate approval was obtained." --Tusker (talk) 15:23, 7 March 2021 (UTC)


 * 01929507668 103.234.202.153 (talk) 21:26, 25 December 2023 (UTC)

Untitled talk
I think we might want to clarify that OAuth is really about authorization... whereas something like OpenID is about authentication. Authentication is required to authorize, but it's not the focus of the API. —Preceding unsigned comment added by Patniemeyer (talk • contribs) 16:33, 10 July 2008 (UTC)

While preserving the technical explanation more narrative & user friendly discussion is needed. The best example is to answer the question "What is a valet key?". The "OAuth Beginner's Guide" 1st written paragraph is more of a user oriented discussion. Jargon needs additional Wiki entries and or linking of those words and phrases. Some with a better level of understanding can find another way of saying the guide's words yet fit into an overall technical highlight of this useful system. Johnswolter (talk) 18:08, 18 February 2012 (UTC)

Twitter OpenID?
There is strictly nothing about OpenID in the Twitter page. Which makes about the whole text suspect. Lacrymocéphale 12:03, 3 October 2008 (UTC)

This article is about OAuth.

"Handing over your ATM card"
Just like to point out that in the UK, with the 'Chip and Pin' system that's exactly what you do :-) —Preceding unsigned comment added by 93.97.40.109 (talk) 16:11, 7 December 2009 (UTC)

Thats a little bit sensful Chandaz productionz (talk) 23:22, 3 November 2016 (UTC)

OAuth Corporate Info?
There is no info about OAuth org structure. Who owns it? Who is it run by? Neither here, nor on the internet. Their site humbly tells us that it is being "developed by a small group of dedicated individuals.". Unlikely, given the widespread usage. All whois contacts are in British Virgin Islands. Can someone clarify? —Preceding unsigned comment added by 77.123.70.15 (talk) 18:38, 29 July 2009 (UTC)

This is vital. OAuth is about trust & access management. Offering that requires open and transparent conducting of business. This is part of OAuth repurtation management requirements Johnswolter (talk) 18:08, 18 February 2012 (UTC)

AS a s AS as AS as AS — Preceding unsigned comment added by 121.54.58.244 (talk) 22:58, 21 August 2014 (UTC)

Adoption
Who's using this? Is it widespread? I can't find a list of implementing partners, and the only large one I've seen so far is Twitter. 207.58.192.150 (talk) 20:31, 30 September 2009 (UTC)

"List of OAuth Service Providers", should have 'as of this date' information included and each line should have a reference to an appropriate URI from which the "OAuth version used" was determined. Perlygatekeeper (talk) 18:08, 16 May 2012 (UTC)

Anything about OAuth vulnerability?
What about OAuth vulnerability using impostor server? Which is especially dangerous with WebView controls on mobile devices where you cannot see address bar. In that case even two steps authentication can not help. Rambalac (talk) 05:40, 25 June 2013 (UTC)

That security section seems incomplete or open-ended to me. So, there have been a number of security issues identified. Now what? Has everyone just decided to live with it and not care about it? Are there proven ways to fix those issues? Are there any test sites for your OAuth services? 84.245.149.53 (talk) 13:31, 9 April 2015 (UTC)

Invisible Facebook links
The links to the Facebook article in this article are not rendering. There are two specific links, one in the History section and the other in the table of OAuth providers. Is this a problem with the Facebook article?Brylie (talk) 07:50, 16 October 2014 (UTC)

"OAuth1 turndown"?
"'8 June 2015: GoogleCL is currently broken due to the OAuth1 turndown, and likely to remain so. Thanks for your support over the years, and apologies for the lack of prior notice.'" Seems to imply something relevant/noteworthy may have developed. --Kevjonesin (talk) 01:14, 13 June 2015 (UTC)

Anything about Oauth3 ?
There are two GitHub links to [OAuth3 Draft Specs](https://github.com/oauth3/) and [implementation of Oauth3](https://github.com/OAuth3/ruby-oauth3). And one other article here: http://tav.espians.com/oauth-3.0-the-sane-and-simple-way-to-do-it.html — Preceding unsigned comment added by 108.68.98.192 (talk) 16:42, 3 August 2015 (UTC) Doe anyone know what the status of OAuth3 is? It would be great if someone who knows more would update the Wiki page. — Preceding unsigned comment added by 108.68.98.192 (talk) 16:38, 3 August 2015 (UTC)


 * There is no OAuth3. OAuth 2.1 is being worked on. Separately, GNAP is also worked on but that is not OAuth3. --Tusker (talk) 15:28, 7 March 2021 (UTC)

The reference 25 does not have the title, no visible link. It is designed to link to this article: http://www.cnet.com/au/news/serious-security-flaw-in-oauth-and-openid-discovered/ Can someone please correct this? I do not see how to access the reference to edit/correct it. — Preceding unsigned comment added by 69.12.250.56 (talk) 22:06, 16 February 2016 (UTC)

This article is limited to OAuth User Grant (and OAuth Implicit at best)
This article and its comment around OAuth being a Grant/Authorization protocol is mostly limited to OAuth User Grant.

OAuth Client Credentials is ignored here, which isn't about a Grant at all, it's for identifying the caller app. It is not on-behalf, it is presented by the owner of the credential (i.e. the app) itself.


 * Yup. Client Credeitnals Grant is ignored here and probably should be added. At the same time, though, Client Credntials grant is not equal to identifying caller app. Also, code grant etc. are not really on-behalf depending on its semantics. --Tusker (talk) 15:33, 7 March 2021 (UTC)

It's arguable if OAuth Implicit is purely authorization, because the caller app directly gets a response that the user credentials are valid (and since that app accepted the username/password, they have "identified" the user once OAuth provider returns a token). — Preceding unsigned comment added by Sajin (talk • contribs) 14:12, 2 April 2019 (UTC)


 * Implicit is still purely authorization. The client does not get any info about who the user is. If it did, it is via another protocol on top of it. --Tusker (talk) 15:33, 7 March 2021 (UTC)

OAuth Shin
OAuth Shin Lucy R. (talk) 02:48, 7 January 2024 (UTC)