Security News > 2022 > October > Serious Security: OAuth 2 and why Microsoft is finally forcing you into it

So if we're looking at HTTP Authentication, all we're really talking about is asking you to present a credential ,which is, for most of us, a username and password in order to gain access to something.

"We're not going to tell you how to do it. We're going to say you should do one of these strong authentication methods, and then, once you know who you're talking to, we'll use OAuth to grant you a token that's independent of your proof of identity, that says what type of access you should have, and how long you should have it."

Your password hopefully never expires when you authenticate normally, whereas in this case you can have some expirations involved, you can set limits, and you can also not just grant access to everything a user has access to.

You don't have to grant somebody access to *everything* in order to grant them access to *something*.

DUCK. And another feature, Chester, that OAuth 2 has is the idea of a thing called a "Refresh token", where you can have access tokens that are only valid for a limited time, just in case something goes wrong.

So there are several apps for Linux, Mac and Windows that allow people to access their Outlook mailboxes without using Microsoft Outlook, but most of those do not support OAuth.

News URL

https://nakedsecurity.sophos.com/2022/10/10/serious-security-oauth-2-and-why-microsoft-is-finally-forcing-you-into-it/