0

If I use Facebook or Google as authentication providers, do they gain access to the data in my website? Can they scrape it with a bot? Can I prevent them from gaining this access?

Pablo
  • 113
  • 2

1 Answers1

4

Let's unpack this into the specific questions. I'll try to be brief in my answers because the overall theme should give you an idea what the situation is...

do they gain access to the data in my website?

Assuming the data is protected by access controls - and not already public - then it would be a violation of your trust in the third-party authorization provider for them to access your site's data directly. They are unlikely to do this, because the value of stealing your data would not be worthwhile given the lost value if they lose your trust.

But technically speaking, there's nothing in the OAuth protocol that would stop a provider from spoofing your user's identity. By using a third-party provider, both you and your users are placing your trust in them not to do this.

Can they scrape it with a bot?

Given that they could spoof a user, they could presumably gain access to your site by performing an OAuth handshake. If it were authenticated and understand your authentication scheme (ie. you're using an auth cookie, or the bot knows how to use your Bearer Token scheme or similar), they could theoretically browse the authenticated portion of your site to scrape it.

But as mentioned above, they probably wouldn't. Again, this is the risk you take by using a third-party provider. You need to trust them.

Can I prevent them from gaining this access?

Not really. If you're just worried about automated access, you could do something to obscure the authentication between the client and server so that a web scraper wouldn't likely know how to use the auth token. For example, you might change the header name. That said... this is probably a bad idea. There are a number of assumptions made by web servers and server monitoring tools that would help to keep from leaking Authorization headers, which might not be true for other headers.

All said and done, if you're going to use a third-party authorization provider, you need to trust that they will have appropriate safeguards on their end to protect your application from misuse. If placing this trust on the third-party is not appropriate for your level of risk acceptance, then don't use a third-party identity provider.

nbering
  • 3,988
  • 1
  • 21
  • 22