On Thu, Jun 29, 2023, at 21:25, tom petch wrote:
<tp>Microsoft seems to take the opposite view with Outlook. They have withdrawn support for the traditional forms of authentication and are now promoting the use of OAUTH as an alternative.The cynic (me!) might think that this advances the cause of those websites whose primary mission it to maximise the amount of personal data that can be harvested and monetised (or is that all websites nowadays?).
The not-so-cynic in me believes that, as a service operator, having thousands of machines out there with a server-generated token being the thing stored on them rather than a username/password pair that's create by the human. It's so much less of a risk. Clients that store passwords locally mean that user generated password content leaks, and that's much more likely to be the same password they use elsewhere.
I'm not defending the use of OAUTH as the mechanism, it's quite clunky - but to say there's no benefits to bearer tokens instead of basic auth or 'user:pass' pairs - that misses a bunch of very legitimate operational concerns.
Bron.
--
Bron Gondwana, CEO, Fastmail Pty Ltd
brong@xxxxxxxxxxxxxxxx
