Why OAuth is not recommended by Owasp Api standred

Skip to first unread message


Oct 28, 2019, 8:04:13 AM10/28/19
to API Security Project
Dear all, can anyone explain why Owasp says OAuth is not authentication, and neither API keys. in ? or why it is not recommended ??


guillaume benats

Oct 28, 2019, 8:43:12 AM10/28/19
to ABID KHAN, API Security Project
Dear Abid,

OAuth is an authorization protocol and not an authentication framework.
A OAuth token defines what resources you're allowed to consume but in order to receive a valid token, you'll need to authenticate yourself to an Oauth endpoint and this can be achieved using multiple kind of credentials (jwt bearer token, username/password, certificate...). Providing valid credentials is authentication, Oauth is about tokens. Tokens are great for authorization but do not proof user identity. As far as an Oauth client is concerned, he looks for presence of a token, and give you access based on that. He does not go as far as authenticating you. It is often confusing because Oauth is always part of a broader authentication/authorization flow, like in OpenID.

For API keys, you should always use them only to identify an application, nothing more, nothing less. Unleds your API is public, you should somehow authenticate users or applications consuming your API.
API keys are also often found in code repos, share point documents, property files or hardcoded into a mobile app. You can often consider them leaked by definition in a lot of scenarios.

For oauth finally i'd add: you want credentials to be used the less as possible in a request. They are used to authenticate you to an endpoint to receive a token. Token on their side should be used in each request for access control.

Hope it helps

You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/5731e6e5-af36-47f2-a924-8a04f6f67a5e%40owasp.org.

Inon Shkedy

Oct 28, 2019, 9:40:40 AM10/28/19
to ABID KHAN, API Security Project

Next time, I encourage you to use powerful tools, like google, to find answers to your questions before sending an email to hundreds of people on this email list.


Reply all
Reply to author
0 new messages