-
-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use something more secure than bearer tokens for auth #259
Comments
Another alternative is access_tokens that actually expire, or which have limited powers. |
I'm interested in this also. My concern is that logging in to a 3rd party app gives them access to all of my account data. I would be particularly interested in restricting apps to certain rooms or message types. |
It's worth noting that OAuth2 deliberately replaced OAuth1's signatures with bearer tokens, basically because signatures were a pita to work with. Maybe it's better just to limit the power (ie, |
related: #636 |
Some related activity:
|
vaguely related: #1780 |
moving access_tokens to the http headers mitigated it, but it's still quite easy to leak an access_token, in which case, you lose. Perhaps we should consider using something like OAuth 1 signatures, like twitter: https://developer.twitter.com/en/docs/basics/authentication/guides/creating-a-signature
The text was updated successfully, but these errors were encountered: