Hey @WGrobler, this is a great point. I definitely designed the system with simplicity in mind, but security isn’t something you can afford to oversimplify.
I’m currently in the process of designing an open tunneling protocol. You can read about it here.
The goal is to have a protocol that can be implemented by TakingNames.io so I can integrate it into my open source apps and sell tunnels to those who want the simplest possible option, but I would also implement it in boringproxy so people can use my apps with self-hosted tunnels if they prefer.
This protocol will work over OAuth2. In order to make that work in boringproxy, I’ll almost certainly need a new token management system. I could imagine dropping the current token system and moving to an OAuth2-only setup.
Do you think that would solve your concerns? Do you think we need to keep the old way (but make it more secure) in addition to offering OAuth2?