Gregory's ServerImagine a version of my dumb little "write a haiku about a photo you take" page which used OAuth, harvested API keys and then racked up hundreds of dollar bills against everyone who tried it out running illicit election interference campaigns or whatever
|
7 comments
 I guess there's a version of this that could work: it's OAuth but users get to set a spending limit of e.g. $1 (maybe with the authenticating app suggesting what that limit should be) Mike Taylor on Twitter pointed out that advertising apps in Google/Facebook world often use OAuth to gain the ability to spend advertising money on behalf of users without getting into trouble - I've added that counter-example as a note to my blog post here: https://simonwillison.net/2024/Aug/24/oauth-llms/  @simon IMO this would work if and only if the user had to explicitly input a dollar value to grant. @simon Both Azure APIs and Microsoft Graph use OAuth2 JWT tokens to enable a user to do things that cost money, but in both cases the token needs to be issued by Microsoft's identity provider. It might be possible to use a Federated Identity to incur those costs too, but there plenty of controls in place for the subscription owner. |
I'm trying to think of an OAuth API that dishes out tokens which effectively let you _spend money on behalf of your users_ and I can't think of any - OAuth is great for "grant this app access to data that I want to share", but "spend money on my behalf" is a whole other ball game