Is a very simple authentication API a security issue compared to OAuth?

Question

Two companies.

1. MegaSocialPlatform
2. CorporateCompany.

These companies have a trusted relationship with each other.

CorporateCompany wants that their employees can reuse their current login credentials of CorporateCompany.com on MegaSocialPlatform, so that their employees don't have to make another account.

CorporateCompany has a limited amount of development power and they don't have any fully fledged OAuth service implemented.

Would it be sufficient if they make an API where you can just post an email / password combination, and if it's right it returns some JSON with the CorporatyCompany unique ID, email and name in there?

This ID could then be used to authenticate the user the MegaSocialPlatform, and link it to a MegaSocialPlatform ID.

Of course the classical systems like preventing hackers from trying more than 20 passwords are still in place.

Would there be any security issues? What other problems might arise?

Answer 1

You do not say it explicitly, but I assume that the API generating the JSON (token) would run inside CorporateCompany and authenticate the user against CorporateCompany's credential store. What you describe is basically a Security Token Service (STS).

However, in order for MegaSocialPlatform to use this token, it needs to know that was issued by an entity it trusts. This is where digital signatures come into play. A real STS will sign the token with its private key. The consuming service is configured with the public key of the STS and is therefore able to verify that the token was issued by a trusted STS.

Security tokens usually contain more information. The date/time from which they are valid and date/time after which they are no longer valid. They also contain an audience- or relying party identifier to indicate who the token is meant for, to prevent the use of a token issued for another service with MegaSocialPlatform.

Obviously all the communication between client - STS and client - MegaSocialPlatform must be done over encrypted communication channels (https) as bearer tokens are susceptible to theft.

Creating secure solutions is not trivial. You should therefore avoid implementing your own and use standard protocols and libraries or frameworks from reputable origin. You might want to look at the JWT token for more information on security tokens in JSON format.

Answer 2

It could implemented this way if both parties agree but the downsides are:

• the MegaSocialPlatform would "see" the CorporateCompany credentials for every user, so CorporateCompany must have a high degree of trust in MegaSocialPlatform not to store or abuse their users' credentials - avoiding this is exactly the purpose of OAuth

• users would not experience single-signon but they would have to type in their credentials over and over again when using MegaSocialPlatform, also across different platforms (e.g. browser and native app)

• both parties would need to agree on the representation of user information in the JSON object - using a standard such as OpenID Connect (largely) avoids those pairwise agreements)

Note that CorporateCompany does not have to build an OAuth server from scratch, they can just use an existing implementation and configure it to their needs.