| ▲ | pixelatedindex 3 days ago |
| IME, OAuth flows are pretty common in S2S communication. Usually these tend to be client credential based flows where you request a token exactly like you said (static key in Authorization), rather than authorized grant flows which requires a login action. |
|
| ▲ | cyberax 3 days ago | parent [-] |
| Yeah, but then there's not that much difference, is there? You can technically move the generation of the access tokens to a separate secure environment, but this drastically increases the complexity and introduces a lot of interesting failure scenarios. |
| |
| ▲ | pixelatedindex 3 days ago | parent [-] | | I mean… is adding an OAuth layer in 2025 adding that much complexity? If you’re scripting then there’s usually some package native to the language, if you’re using postman you’ll need to generate your authn URL (or do username/passwords for client ID/secret). If you have sensitive resources they’ll be blocked behind some authz anyway. An exception I’ve seen is access to a sandbox env, those are easily generated at the press of a button. | | |
| ▲ | cyberax 3 days ago | parent [-] | | No, I'm just saying that an OAuth layer isn't really adding much benefit when you either use an API key to obtain the refresh token or the refresh token itself becomes a long-term secret, not much better than an API key. Some way to break out of the "shared secret" model is needed. Mutual TLS is one way that is at least getting some traction. | | |
| ▲ | JambalayaJimbo 2 days ago | parent [-] | | Refresh tokens aren’t necessarily long lived, you can force the client to exchange for another refresh token. |
|
|
|
