Hacker News new | past | comments | ask | show | jobs | submit login

I love reading blog posts on oauth2 and oidc. I have a mental model on how it works but every person has their own way to describe the flows. So far my favorite article has been oauth-oidc from first principles[1] and why each piece of the protocol is useful.

This being hackernews, any comment worthwhile cannot be devoid of criticism. Trust-on-first-use is used incorrectly here -- saving the previous authorization scopes is just caching. TOFU has a specific definition in security: it's when you're establishing a secure channel but you haven't shared a secret or public key a-priori -- it makes it impossible to guarantee that the counter-party is whom they say they are. Very concretely TOFU is a diffie hellman key exchange with a shared secret that can be MitMed. Through use in time the shared secret gains integrity because the probability of a persistent MitM accross channels degrades. The most common place TOFU is encountered is when connecting via ssh to a server and the server accepts your connection because you're in their authorized_keys but the server's key is not in your known_hosts.

[1] https://stack-auth.com/blog/oauth-from-first-principles




If you love it so much, here is another one: https://blog.ce9e.org/posts/2025-01-07-oidc/




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: