Hacker News new | past | comments | ask | show | jobs | submit login

What do you mean? How do you do an offline attenuation of an OAuth2 token?



You can’t do it offline; but in practice that isn’t a problem because IdPs generally are five-nines available.


No, it is a problem, because the motivating use case for offline attenuation is doing JIT minimization of tokens before sending them. IdP OAuth2 tokens tend to be all-powerful, a game-over break if stolen. That's why offline attenuation was invented.

You can say that offline attenuation and minimization doesn't matter; for a lot of applications, it probably doesn't. But you can't say OAuth2 has the same feature, and certainly not "had for yonks".


You can of course use Macaroons with OAuth, which was something that I tried to get the OAuth WG interested in, with little success. But I did get it added to my then employer’s AS product: https://neilmadden.blog/2020/07/29/least-privilege-with-less...

(Not sure why the images in that post are suddenly broken, will try to fix later).

This also reminds me that I need to finish off my own take on Biscuits/Macaroons that takes a completely different approach based on Diffie-Hellman. I call them Florentines.


It's a really good, clarifying post; I've had it in a tab for a week or so while I've been writing.




Consider applying for YC's first-ever Fall batch! Applications are open till Aug 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: