Facebook hack and OAuth User Authentication [2 min OAuth]

In this episode, I used the Facebook hack1 as the leeway to explain why using an access token to represent a user is a bad idea.


  1. Facebook Security Breach Exposes Accounts of 50 Million Users (New York Times) https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

2 Replies to “Facebook hack and OAuth User Authentication [2 min OAuth]”

  1. I like your videos. But noticed you have not been talking about OAuth 1.0 ( not 2 ) in details. Can you make some good 4- 5 videos about 0Auth 1.0 please.

    1. OAuth 1.0 [RFC5849] is obsoleted by OAuth 2.0. So, you should be using OAuth 2.0 and that’s why I am not talking about OAuth 1.0. Also, note that OAuth 1.0 is not a standard. It is just an informational document. People should be aware of the different designation of documents that are uploaded to IETF.

      * Standard track — these are standard
      * Informational — Just for your info. It is not a standard.
      * Experimental — Too early to be a standard. Needs experimentation. It is not a standard.

      There are also something called individual drafts. Their filename appears as:

      * draft-{name of the author}-{draft name}-{version]

      These are documents that you can upload anytime (except the upload freeze period prior to IETF meetings.)
      Anyone can upload one anytime and no vetting is being done.
      They obviously are not standards.

      All documents that are on the way to being one of the RFC types above have a name pattern:

      * draft-ietf-{draft name}-{version}



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.