Should 3rd party Oauth be used for authentication?

Continuing the discussion from Prompt the user for a password reset (Ionic and Meteor):

Strictly speaking, Oauth is an authorisation service, not an authentication service. As @corvid says, its purpose is to permit access to services provided elsewhere.

There does seem to be a lot of laziness around authentication - my feeling is that it’s because it’s normally difficult to set it up securely. However, Meteor does provide an easy way to do this as well, so why not use it?

If my only option is to “sign up with Facebook”, I just won’t.

So, is it good practice to use 3rd party Oauth for authentication?

3 Likes

The thing I never cared for about OAuth (especially with facebook) is that if I delete my account, then my authorized applications won’t work as intended
I had bandisintown, which I actually really liked a lot as an application, but it was authenticated with facebook and I wanted to delete my facebook account.

I think at least a fallback to password/email should be offered in most cases, unless you absolutely need to communicate with the other application.
Like I used battlenet to create a guild website, but it needed to use world of warcraft to get the player’s gear, arena ratings, etc.

I think accounts-meld tries to solve that problem.

https://atmospherejs.com/splendido/accounts-meld

1 Like

I think this is open to debate on a case by case basis.

For example, there is an app that I developed for a client who uses google apps exclusively and accounts-google was a natural fit.

I also had another app where I cared deeply about users being genuine. Facebook was great help there since they have an account verification process and other practical means to spot fake users.

Or your app might be one of http://gizmodo.com/meerkat-and-the-problem-with-parasite-apps-1691743466 which heavily utilize, even live on the oauth service.

It depends on your users. If you think your users will be okay logging in with Facebook only, then it is fine to have that. I don’t think it’s possible to boil the issue down to “good practice” or “bad practice”.

Personally I much much much prefer logging in with Facebook because I have too many passwords already, and it means I don’t have to trust the app I’m using to encrypt my password correctly.