| ▲ | ted_dunning 7 days ago | |
Your comments are so highly abbreviated as to be nearly impossible to understand. I suspect that unintelligibility is leading to it being heavily downvoted. The addition of the comment about LLMs isn't really helping. | ||
| ▲ | derangedHorse 6 days ago | parent | next [-] | |
His comments are also outdated. Browser binding with a separate nonce is standard practice by big identity providers, redirect uris are typically strictly validated, implicit flow without pkce is being phased out, and most browsers protect against a lot of would-be csrf attacks with strict samesite cookie headers. | ||
| ▲ | homakov 7 days ago | parent | prev [-] | |
I wasn’t criticizing the guide — just pointing out real OAuth2 pitfalls that still affect users. The spec itself made mistakes: • Silent account hijack via “Connect this provider.” • Redirect leaks of code (via Referrer) or access_token (via #hash). • CSRF because state was optional and often ignored. The point is: these aren’t obscure edge cases, they’re structural issues baked into the protocol. | ||