OAuth: the good, the bad, and the ugly

Our experience integrating six different OAuth providers has been documented by Ignacio Coloma in his blog.

The conclusions:

  • We still kind of love OAuth, despite its problems and inconsistent implementations.
  • Our system is secure with very little work, specially compared with the alternatives.
  • OAuth introduces new security holes, and certainly doesn’t replace a password manager like LastPass.
  • It doesn’t come for free. To implement OAuth in your website, you will have to read.

This was something that we wanted to share for a long time. Back to coding, these features are not going to develop themselves!