How does OAuth harm privacy ?

Denis <> Mon, 01 March 2021 15:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E3D603A1E08 for <>; Mon, 1 Mar 2021 07:29:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pDrkcXlBOfMX for <>; Mon, 1 Mar 2021 07:29:24 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7B9213A1E75 for <>; Mon, 1 Mar 2021 07:29:17 -0800 (PST)
Received: from [] ([]) by mwinf5d89 with ME id b3VD2400j4zJUWJ033VDRw; Mon, 01 Mar 2021 16:29:15 +0100
X-ME-Helo: []
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 01 Mar 2021 16:29:15 +0100
Subject: How does OAuth harm privacy ?
To: Jim Manico <>
Cc: IETF-Discussion Discussion <>,
References: <CWXP265MB0566C4B21C45E760B1BFED7FC29A9@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <> <>
From: Denis <>
Message-ID: <>
Date: Mon, 1 Mar 2021 16:29:12 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------6B791F71925D5E6409DF5AB8"
Content-Language: en-GB
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Mar 2021 15:29:26 -0000

Hello Jim,

Since you dared to raise the question: "*How does OAuth harm privacy* 
?", I need to respond. I changed the tile of the thread accordingly.

With OAuth, the RS must have a prior relationship with the AS (which is 
not scalable). When the client calls the AS,
the AS is able to know which is the RS and then is in a position to know 
which end-user is likely to access which RS.

When furthermore *token introspection* is being used, the AS is in a 
position to know exactly when an end-user
is performing an access to every RS. Some people would say that the AS 
is able to act as *Big Brother*.
While this might be acceptable within a single domain (i.e. all the 
users, ASs and RSs belong to the same organization
or company), this is a serious concern if/when used in general over the 
Internet in a multi-domain case.

Since the access tokens are considered to be opaque to the clients (and 
hence to the end-users), a client is not supposed
to verify which privileges have effectively been inserted into an access 
token, in particular whether a unique identifier
that would allow the RSs to correlate the accounts of their users has 
been maliciously added into every access token.

In your email you wrote:

    I don’t see how moving from handing your creds over to a third party
    to OAuth2 workflows, harms either privacy or security.

I hope that the facts mentioned above will allow you to see that OAuth 
does harm the user's privacy.


>> Il 01/03/2021 15:13 Jim Manico <> ha scritto:
>> How does OAuth harm privacy? 
> I think you are analyzing the matter at a different level.
> If you start from a situation in which everyone is managing their own 
> online identity and credentials, and end up in a situation in which a 
> set of very few big companies (essentially Google, Apple and Facebook) 
> are supplying and managing everyone's online credentials and logins, 
> then [the deployment of] OAuth[-based public identity systems] is 
> harming privacy.
> Centralization is an inherent privacy risk. If you securely and 
> privately deliver your personal information to parties that can 
> monetize, track and aggregate it at scale, then you are losing privacy.
> -- 
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
>  <>  
> Office @ Via Treviso 12, 10144 Torino, Italy
> _______________________________________________
> OAuth mailing list