Geek Answers Handbook

Does github (twitter, stripe & co) use oauth for its own login?

Does github (twitter, stripe and co) use OAuth for native signin / signup forms?

Are all these authentications based on cookies, just like it is a regular main web client, or is it using some form of OAuth or xAuth?

When you log in, call https://github.com/session (or https://twitter.com/sessions or https://dashboard.stripe.com/ajax/sessions ) (with credentials specified as formdata) which result in 302 (or 200 for the strip) with Set-Cookie and location https://github.com (or https://twitter.com ).

It looks like they use client_id to get the code and exchange it using token . The whole OAuth dance seems striped. And the carrier header too. So what is going on here?

Thanks.

+5
source share
2 answers

OAuth is a three-legged system, two legs are useless. The whole point of using OAuth is to provide other services with the ability to perform actions, since you do not need special authentication or data transfer yourself. In the end, you should still authenticate against some Auth service.

Since you use these services as an authentication mechanism for other sites, it would be pointless to try to use it on your own. As part of OAuth configuration, the second site is redirected to the first and asks to authenticate there, which means that you literally need to enter your credentials. This means that if you entered your credentials on github, having another authentication mechanism is useless.

OAuth allows non-github to create user accounts by trusting github authentication, or allows sites without github to make changes to github as a user when a user agrees to interact by logging into github to accept this policy (using their credentials).

+1
source

Log in to forms on github (and other sites as well), simply based on cookies.

Typically, each direct login through a website through a browser is done through a cookie-based system, simply because there is no need to do otherwise.

Bit of theory

Each time you use the website login form, you call an API, not necessarily intended for public use (therefore, the API is private )

When you enter your credentials in the login form and click this login button, your credentials are managed using some code on the server that allows you to authenticate with this website.

There is no need for full OAuth because the website has full control over the authentication mechanism and does not need to be externalized.

Why is OAuth different in this contest?

OAuth is a system designed to distribute the authentication system in different services / applications, even from different providers.

OAuth has several active members:

  • customer
  • authorization server
  • resource provider

In your case, all of these 3 members is the site itself, so there is no need for a decoupling system such as OAuth.

0
source

More articles:


All Articles