upvote

points

by sandeepkd15 hours ago |
comments
upvoteby ZiiS12 hours ago|
next
[-]
AWS do exactly this. An example use-case is IAM can grant permission to update a Lambda to a Github action running in a given repository.
reply
upvoteby sandeepkd12 hours ago|
parent|
[-]
Personally I dont like the way they do it, its hard to understand, if anything its convoluted.

In case of AWS, you add Github as an IDP (OIDC provider) and associate a role to it.

Github is now authenticating into AWS, scoped to the github repository where its configured and the AWS role it can assume

Its not really a typical OAuth2 or OIDC flow. And yes its better than storing the keys.

Github is not the OAuth client here.

reply
upvoteby ok_dad15 hours ago|
prev|
next
[-]
Do you understand what OAuth is? It’s like an API key but less likely to be abused. This is a good thing. It helps security in many ways and makes security flows more safe than carrying around a token.
reply
upvoteby sandeepkd12 hours ago|
parent|
next
[-]
I really feel sad about the state of security and its bit hard to unwrap in one paragraph which makes it more challenging. Let me try to be bit more verbose

Cloudflare API Keys - You create them and then use those keys directly against cloudflare API's to manage services/infrastructure in your account. How you create the keys is may be a different kind of challenge.

OAuth flow in discussion here - You are using a third party service (which registers themselves as a the client application with cloudflare), this service is going to prompt you for OAuth flow and redirect to Cloudflare, not (only) to authenticate you but it will get a access token on your behalf (your cloudflare account) from Cloudflare. Whatever this THIRD PARTY service uses this token for your behalf is going to incur infrastructure cost for your account.

reply
upvoteby ok_dad12 hours ago|
parent|
[-]
Yea and if you need to use that service then an API key does the same thing. People were giving these services the API keys which isn’t great. You can argue that third party services aren’t a good idea, but then why are you using cloudflare? I don’t understand why you think this is a security issue, if you don’t trust a third party service don’t use it. You have to approve the permissions, they don’t just steal them.

Sorry if I was rude earlier but saying OAuth is some security flaw made me think that you didn’t understand what it was about; it’s just a way to grant permissions to a third party you trust. If you do then I’m curious why you think it’s flawed.

reply
upvoteby usr110614 hours ago|
parent|
prev|
[-]
Maybe he doesn't. And I know that I don't (at least not in depth). And that's the frightening thing here. Using a protocol that many don't understand for access to valuable resources
reply
upvoteby ok_dad12 hours ago|
parent|
[-]
OAuth is pretty simple, just read the spec.

Your go to a third party web site. They send you to your OAuth provider, like cloudflare. Cloudflare asks you to login if you’re not logged in, then asks if you want to give that party certain permissions. You say yes or no and then click approve and then you get redirected back to the third party site. They get a secure token and can use that to access the services with permissions you approved. If you don’t trust the third party then don’t approve it.

It is like an API key but you never have to touch it. The third party can encrypt it and store it securely and it never has to be copied and pasted. You can use this on backend services that need to access things too. I recently wrote an OAuth client for MCP servers for something I’m building (not gonna advertise here because that’s rude) and it’s very nice once you read the spec.

reply
upvoteby bogdan10 hours ago|
parent|
[-]
You're right. Crazy how we ended with so many different implementations.
reply
upvoteby codebje15 hours ago|
prev|
[-]
How different is this to, eg, the Google developer program, in which I can create a new OAuth client for Google users?
reply
upvoteby sandeepkd12 hours ago|
parent|
[-]
OAuth2, to be more precise, is a protocol which can be used both for authentication (verifying the user) and authorization (accessing resources on behalf of that user).

Most people in CIAM (customer identity, individuals owing their account instead of representing a company) only interact with OAuth client for authentication. They do not give access of their google account to some THIRD PARTY COMPANY.

reply
upvoteby smw11 hours ago|
parent|
[-]
Sure they do. All the time! For example, if you want to use a script in Google Docs these days, you have to go through an oauth flow to give that script's app permission to do certain actions in your Docs.
reply