I've only ever implemented web-based OAuth flows, so I haven't seen that behavio... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

couchand on Nov 7, 2019 | parent | context | favorite | on: Bypassing GitHub's OAuth Flow with a Head Request

I've only ever implemented web-based OAuth flows, so I haven't seen that behavior.

Do they also disallow the use of refresh tokens? It would seem that allowing refresh would let a malicious app get around the requirement.

hirsin on Nov 7, 2019 [–]

If you force a check at the start, refresh token seems fine. That's much preferable than popping ux every hour or whenever the access token expires.

couchand on Nov 8, 2019 | [–]

Then what's the point? The malicious app would just keep refreshing so you never see the confirmation again, anyway.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact