Skip to content

Settings and activity

1 result found

  1. 58 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    Brad Olson commented  · 

    Kirill, regarding oauth2 warnings from [Eran Hammer](http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/), I had a chance to sit down with Eran in 2014 and pick his brain a little further. My biggest takeaway from that is him saying something like, "The thing with security software is smart doesn't cut it. You have to have experience." When writing security libraries for hapi, he had budget to consult security experts. They caught a lot of little holes. Don't try to cobble your own stuff unless you have solid experience--yours or someone else's--at your disposal.

    It sounds like oauth2 was ruined committee, but it still sees a ton of use by big companies. I found this [this Stackexchange comment](https://security.stackexchange.com/questions/133065/why-is-it-a-bad-idea-to-use-plain-oauth2-for-authentication/133073#133073) helpful in understanding the misuse of oauth2.

    I would love to see some sort of SSO for checkvist, but only if it's secure. See my 2FA request.