alt Hacker NewsMaybe he doesn't. And I know that I don't (at least not in depth). And that's the frightening thing here. Using a protocol that many don't understand for access to valuable resources
Maybe he doesn't. And I know that I don't (at least not in depth). And that's the frightening thing here. Using a protocol that many don't understand for access to valuable resources
OAuth is pretty simple, just read the spec.
Your go to a third party web site. They send you to your OAuth provider, like cloudflare. Cloudflare asks you to login if you’re not logged in, then asks if you want to give that party certain permissions. You say yes or no and then click approve and then you get redirected back to the third party site. They get a secure token and can use that to access the services with permissions you approved. If you don’t trust the third party then don’t approve it.
It is like an API key but you never have to touch it. The third party can encrypt it and store it securely and it never has to be copied and pasted. You can use this on backend services that need to access things too. I recently wrote an OAuth client for MCP servers for something I’m building (not gonna advertise here because that’s rude) and it’s very nice once you read the spec.