Why is OAuth so popular

OAuth (Open Authorization)

That even a system designed for the protection of personal data like OAuth cannot be one hundred percent perfect was already shown in April 2009 when a security breach has been discovered. As with many other such systems, phishing is also a constant risk: between April and May 2017, one million Gmail users were victims of one OAuth-based phishing attack. In a fraudulent email, they were asked to give their authorization via a fake interface in order to allow an alleged application called “Google Apps” to access their account data.

The development of the successor version OAuth2 should therefore not only facilitate the implementation of the increasingly complex protocol, but also increase its security. In October 2012, the associated efforts came to a final result - but without the approval of those developers who had helped with the original OAuth at the time. Only the senior OAuth2 editor Eran Hammer-Lahav had worked on the old OAuth - and myself he finally distanced himself from the new project, three months before publication. In an article on his blog hueniverse.com from July 26, 2012, he explained the background to his decision and referred to OAuth 2.0 in the headline as "Way to Hell".

What happened? According to Hammer-Lahav, the development of the new protocol was determined by constant debates between the developers and the companies involved (including Yahoo !, Google, Twitter and Deutsche Bank). Disputes are mostly in favor of economic interests at some point been ignored. The consequence is a protocol that, according to Hammer-Lahav, should no longer be referred to as such. Because instead of presenting a narrowly defined standard, OAuth2 is at most one Frameworkthat can be adapted and expanded at will. With this, OAuth2 would have lost the feature of interoperability - different OAuth2 implementations are not necessarily compatible with each other.

Hammer-Lahav regrets one more thing: The fact that they have opted for a simpler implementation (for example by omitting signatures) leads to one Lack of security. In order to be able to program a secure application that supports OAuth2, developers would have to bring a considerable amount of expertise. It is therefore more likely that the future will be simple pile up unsafe applications in the network would. Implementation errors are unavoidable given the incomplete and overly complex specifications, said Hammer-Lahav.

Hammer-Lahav was at least partially right about his fears: In 2016, a research group from the University of Trier dealt with the security of OAuth2 for the first time and discovered two security gaps. One of them enabled man-in-the-middle attacks. In principle, however, the researchers rated the protocol as relatively safe - provided that it is implemented correctly. The team behind OAuth2 has already fixed the vulnerabilities according to its own information. For many IT experts, however, the research report gave rise to articles to delve into the secure use of OAuth 2.0.