You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The README says this module "authenticates users using a ArcGIS account and OAuth 2.0 tokens", but sites like https://oauth.net/articles/authentication/ warn against using OAuth tokens for authentication:
OAuth APIs do not provide any mechanism of audience restriction for the returned information. In other words, it is very possible to take a naive client, hand it the (valid) token from another client, and have the naive client treat this as a "log in" event. After all, the token is valid and the call to the API will return valid user information. The problem is of course that the user hasn't done anything to prove that they're present, and in this case they haven't even authorized the naive client.
The README says this module "authenticates users using a ArcGIS account and OAuth 2.0 tokens", but sites like https://oauth.net/articles/authentication/ warn against using OAuth tokens for authentication:
Is passport-arcgis safe to use in spite of this warning?
I asked essentially the same question here: http://security.stackexchange.com/questions/140595/is-it-safe-for-users-of-my-api-to-sign-in-with-github-using-passport-github
The text was updated successfully, but these errors were encountered: