# Advice - OAuth is Safe?

## Holysword

What do you guys think about OAuth? How does it work? I have used some applications that magically are able to log in my account without asking the password or username (it asks on the first connection, of course). Is it safe? Does it work like SSH keys? What happens if someone manages to copy my key (the file, that is) then? Honest question.

----------

## khayyam

Holysword ...

its more an authentication method (where access tokens are provided to a third party via a service like OpenID). So, not like ssh keys (which doesn't use any service to validate the "key"). As for how secure it is, there has been some controversy relating to the specification, and now (topically) a serious security flaw in OAuth, OpenID [has been] discovered.

best ... khay

----------

## Holysword

 *khayyam wrote:*   

> Holysword ...
> 
> its more an authentication method (where access tokens are provided to a third party via a service like OpenID). So, not like ssh keys (which doesn't use any service to validate the "key"). As for how secure it is, there has been some controversy relating to the specification, and now (topically) a serious security flaw in OAuth, OpenID [has been] discovered.
> 
> best ... khay

 

Thank you for replying. I tried to compare with SSH because I can also log in remotely to some trusted servers using SSH, without entering username or password.

So as far as I understood, OAuth basically gives all the access for a website to perform all the authorised actions, regardless if I am online or not, regardless if I have asked for that specific action at that specific time or not. It means that if the authorised website is attacked somehow, the attacker has control over all the authorised actions regardless if I have asked for that specific action at that specific time or not. Is that correct? If so, that does not sound like a bad idea... it sounds more like shooting your own head twice.

----------

