PKCE vs Proxy | APIs You Won't Hate - A community that cares about API design and development.
Logging in to a web service used to mean sending a username and password and getting a cookie in return. This cookie is then sent with every request so that the server knows who is making the request. However, when it became more common for services to interact with each other on a user's behalf, other forms of authorization systems evolved. One such system is OAuth, which uses token-based authentication instead of cookies.
OAuth is an Authorization framework that allows three different parties to interact with a minimum level of trust. This way only one service needs to know your username and password. The service that doesn’t store this information can ask the service that does to verify who the user is and what they are allowed to do. In general, this provides a better, more secure, user experience. A user can maintain their profile and password information in a single place and have that referenced automatically when they connect to other services. No more typing in email addresses to every site and updating it in multiple places if it changes. This is how Login with Facebook or Login with Google buttons work.
Unfortunately, there are a couple of inherent security risks with this approach. One service is not as trustworthy as another. You might want to allow that budgeting app to read your account balance, but you probably don’t want it to empty your checking account. Additionally, the first time services communicate they must go over a public network where anybody can be listening.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25385324/vpavic_20240407_Untitled_Job_11415.jpg)
