Security News > 2022 > October > Serious Security: OAuth 2 and why Microsoft is finally forcing you into it
So if we're looking at HTTP Authentication, all we're really talking about is asking you to present a credential ,which is, for most of us, a username and password in order to gain access to something.
"We're not going to tell you how to do it. We're going to say you should do one of these strong authentication methods, and then, once you know who you're talking to, we'll use OAuth to grant you a token that's independent of your proof of identity, that says what type of access you should have, and how long you should have it."
Your password hopefully never expires when you authenticate normally, whereas in this case you can have some expirations involved, you can set limits, and you can also not just grant access to everything a user has access to.
You don't have to grant somebody access to *everything* in order to grant them access to *something*.
DUCK. And another feature, Chester, that OAuth 2 has is the idea of a thing called a "Refresh token", where you can have access tokens that are only valid for a limited time, just in case something goes wrong.
So there are several apps for Linux, Mac and Windows that allow people to access their Outlook mailboxes without using Microsoft Outlook, but most of those do not support OAuth.
News URL
Related news
- Microsoft confirms memory leak in March Windows Server security update (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft fixes Outlook security alerts bug caused by December updates (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- Microsoft squashes SmartScreen security bypass bug exploited in the wild (source)
- Microsoft and Security Incentives (source)
- Microsoft releases Exchange hotfixes for security update issues (source)
- Microsoft pulls fix for Outlook bug behind ICS security alerts (source)
- Microsoft cannot keep its own security in order, so what hope for its add-ons customers? (source)