Be careful with authorization servers

These days people are accustomed to logging in to various Web sites using third-party authorization services. Do you want to login using your Facebook or Twitter account? In technical terms, this means that you are being offered to delegate the process of authorization to a third-party service offered by Facebook, Twitter or other big guys.

You’re sick and tired of creating and remembering dozens of IDs/passwords for all theses online services. Please, please login me quickly using whatever service you want. Most of such services are implemented with OAuth protocol, which allows to use the user’s account on some other servers to authorize you for accessing someone’s Web site. The good part is that OAuth servers do not reveal your id/password, but perform the authorization returning a special encoded token that will be used as you temporary passcard. The access to your Facebook or Twitter account will be limited.


The concept of giving a limited access to a resource is easily explained to rich people, who have these fancy cars with the ignition key that includes a removable small key so you can lock the glove compartment (full of diamonds) while giving a large key to a valet parking attendant. If you’re not that rich yet, take a look at this image:


Say you are visiting a Web site, with offers you login with one of your social networks’ account. Creators of must reveal what exactly they will be able to do with your credentials. It’s great that they won’t be able to login to your Twitter account, but will they be able to tweet on your behalf or start following people? Always read text on such login windows before clicking on that easy-to-login button.

I’ll give you a couple of examples. Here’s how Right Relevance offers you to login to their site:


With all my respect to Right Relevance for their good technical content, I wouldn’t want them to post tweets for me. Thanks, but no thanks.

Here’s another one. In April I was speaking on OAuth authorization at a Java conference in Moscow, Russia. In the evening I went to see a show in a popular theatre, which offered a free Wi-Fi hotspot. Nice! When I tried to connect to this spot from my phone I got this message:


Thank you, Hot Wi-Fi, but you’re not that hot for letting you tweet for me. Besides, it’s not polite to browse the Internet while watching a play with famous actors.

One more example, and I’ll let you go. This morning I’ve received an email that someone I know sent me a private message via a social network called Zorpia. I don’t know where are these people learning about such services, really. Anyway, you don’t have to be a rocket scientist to guess what Zorpia wants for showing me that private massage:


No, for some reason I don’t want you to manage my contacts. I frequently get emails that start like this: “John Smith is updating his contact information at the social network and asks you to login and update your cell phone number there”. Needless to say that starts with offering me to login with one of the popular OAuth servers, and I’d say “No”.

Don’t blame the OAuth protocol, which has all provisions for restricting the access for these third-party applications. There is a special scope parameter that allows to specify what a third-party app can do on your behalf. For example, here’s the description of the scope parameters for the developers who want to delegate authorization to Google’s OAuth servers.

Here’s my message to you: “Think twice before letting some Web application to delegate the authorization process to someone else.” Read the fine print!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s