Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

David Waite <> Fri, 26 February 2021 21:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2AFEF3A0C28; Fri, 26 Feb 2021 13:36:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gq9G8G4ZB9qA; Fri, 26 Feb 2021 13:36:08 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5F013A0C23; Fri, 26 Feb 2021 13:36:08 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by (Postfix) with ESMTPA id D83B120511C; Fri, 26 Feb 2021 21:36:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim; t=1614375365; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XzNa/FeuwVfR8Bay5xW5Z/Cz6ylpXzhPFHfObgrQKl4=; b=j26VsexMM9UZWirBA10U4IbT/ggf3nhYnW5r733RIWigsepWklxR3l9ubbNp745821IJ3d lO+mSD+QnSWXVBCpZvWxOEW6ylKrKGZQGmQAvIWlcy/EZQ8A7vuAbVJlbTPTY3BQhqARyF 6uh2YXI9zZZX5egu6EQ0TvS4Lasqf2w=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
From: David Waite <>
In-Reply-To: <>
Date: Fri, 26 Feb 2021 14:36:02 -0700
Cc: Warren Parad <>, Bron Gondwana <>, Phillip Hallam-Baker <>, IETF-Discussion Discussion <>, "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
To: Aaron Parecki <>
Authentication-Results:; auth=pass
X-Spamd-Bar: /
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2021 21:36:10 -0000

> On Feb 26, 2021, at 9:32 AM, Aaron Parecki <> wrote:

> The point is that basically nobody uses it because they don't want to allow arbitrary client registration at their ASs. That's likely due to a combination of pre-registration being the default model in OAuth for so long (the Dynamic Client Registration draft was published several years after OAuth 2.0), as well as how large corporations have decided to run their ASs where they want to have (what feels like) more control over the things talking to their servers.

Do you disagree that this gives them control over which things talk to their servers?

FWIW my personal mental model here is pretty simple:

With users, there are services you provide anonymously and services you provide only to registered/authenticated/trusted parties for various reasons. Once you are delegating user access, you still have many of the same reasons to provide access to anonymous or registered/authenticated/trusted delegates.

Dynamic registration arriving later and requiring additional complexity has unfortunately encouraged registration in use cases where anonymous clients might have been acceptable, but shifting the timelines or complexity balance would not  have changed business needs for authentication and trust of delegates. Omitting registration would have caused businesses to use other protocols that met their needs.

If AS’s are only getting what feels like proper control for their business needs, we should attempt to give them the actual control they require.