Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That matches my experience, and it doesn't help that the RFCs, in trying to explain it, have declared defeat early on.


It's also hard to find the relevant RFC, because older RFCs contain grant types that are no longer recommended, but still widely in use.

This means that if you're working on a legacy application that's using something like the implicit grant, to actually learn about it, you need to read superseded RFCs.


> It's also hard to find the relevant RFC, because older RFCs contain grant types that are no longer recommended, but still widely in use.

Why do you think this is a problem? So old RFCs specify grant types. That's ok, that's the whole point of specifying authentication schemes. Some are not recommended? That's perfectly fine, it just means there are better, safer ways to implement a flow. Are they still widely use? That's great, you already know where they are specified. So what's the problem?

> This means that if you're working on a legacy application that's using something like the implicit grant, to actually learn about it, you need to read superseded RFCs.

I don't understand. Where do you see a problem? You said you know where a specific flow is specified, and you want to learn it. You even have a implementation? What's the problem? Does a "superseded" tag bother you?


The oauth 2.1 spec does a lot to bring everything together and simplify things at the same time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: