Konubinix' opinionated web of thoughts

Ways to Authenticate




You get authenticated using a link sent via a link. This is a one-factor authentication where we ensure you have the knowledge of the password of the mail.

embedded password in each client

It is not a good idea because this makes the client responsible of sending the password to the authorization server. It also make the client see the communication between the user and the authorization server and make the whole user consent screen useless.

Also, every client dealing with the password gets the responsibility to deal with its security. All those clients and there dependencies are surface of attack for XSS.

This might be ok when the authorization server and the resource server are unique in a non critical setup.

But as soon as there are several clients, this causes another issue: the user gets used to provides per password in several different location (versus providing it ONLY to the authorization server). It eases the phishing attack, where the attacker can provide yet another client and steal the password when it gets it. The user getting used to provide per password is more likely not to mind doing so.

Therefore, for the model to make sense, the resource owner needs to know the authorization server and trust it.