Re: [OAUTH-WG] third party applications

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 28 August 2020 15:07 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2188C3A0C5E for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 08:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWoCp23lyefQ for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 08:07:32 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B103A0BE0 for <oauth@ietf.org>; Fri, 28 Aug 2020 08:07:32 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a26so1974210ejc.2 for <oauth@ietf.org>; Fri, 28 Aug 2020 08:07:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jij21muY4aGcTfrRQqi6IQuvtg+LwXFb0yLH/idCOmQ=; b=iVjwPh1EFSTls/LTjR7/k4hovwubAMRmGkDiHF09iOdBrsg5U7s7XePlUcmB9fNFLs z7/UlHkQ0ziocp6P8RA4IGYN7RRSBWM97s/6ddAVZ+hE12eGfW7tudVCMBKIHFMKz6IY QqntD63Ez6CK88pgT93UDTMmI601xYECsuvCMnC8IG4A7O/5URHOv4wEj36VW7xt/uLN daSgOlakqw1lLA2Q2OUHjTKN0xFJMqm6WaOCvEWTjh1DCKtZ9c9OIqSEBJNltniqMGU+ cR+s2ZdTfwkvoq/iD8WqEGtfKWs6fuQYKcX98jvkWdfEb3WJXHzsrmei3vpd2XPG9SNH 806Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jij21muY4aGcTfrRQqi6IQuvtg+LwXFb0yLH/idCOmQ=; b=grY/GaoY5ZqKlRDNKV1OwmKiISMev+RledDHQpwHFHunBEtqAT3VI+8jvWvmWgPgCu 2789KTeltGnFUXRaTXT/vChWnj5EmG6Cd/CsSNjwpsJMOeaP7oeFKpglajZcvFIvu9K8 W2xj95OmTx2DDfMtDG+aNaopPwk+Tf36MRAlgZDaqYaNHMSTxEas8fqWSYCZsTD6p8vU FKAxFwkE/FhP0DiXivlDx/HZxxaE3Z1r2rX2vDh8h5ZihoNLbfQlTp7E5QhB05RHKaRY npOz65Oe23IfMExTwn5XbMdjlhnR+9WCOzWWbtMITyIRWvdWBlQ68wAMc9nKIFebPe/B 9Z/w==
X-Gm-Message-State: AOAM531NWfDX2Swd/TeesQ9aLYzynYmsUYOyZnn682cMPoOmzduJuvfK yA4DReKSiYWR/Qwz9I2MYA+KBw==
X-Google-Smtp-Source: ABdhPJxzizPKAYXl+YlhB/jZ6JvDKXaGJr4gflSvT1/CVKN9Cy/4q0IJMbYEY9YgB8CQ0AWlNw7cVw==
X-Received: by 2002:a17:906:a293:: with SMTP id i19mr2356836ejz.523.1598627250620; Fri, 28 Aug 2020 08:07:30 -0700 (PDT)
Received: from p200300eb8f1e2a7f0135b1f6009a5514.dip0.t-ipconnect.de (p200300eb8f1e2a7f0135b1f6009a5514.dip0.t-ipconnect.de. [2003:eb:8f1e:2a7f:135:b1f6:9a:5514]) by smtp.gmail.com with ESMTPSA id t21sm979852ejr.62.2020.08.28.08.07.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Aug 2020 08:07:27 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CAD9ie-vVt47TdyhU1qiGL9CLgsQ3mriPJ0irkw7ddBsdwv8QLw@mail.gmail.com>
Date: Fri, 28 Aug 2020 17:07:26 +0200
Cc: Dima Postnikov <dima@postnikov.net>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CC3CDA85-7060-46FA-9C54-BE5E43CC2467@lodderstedt.net>
References: <CAEMK1uY0cSOyyU2t0N9RTOzmMeEpfMsb7K9WfQD=fQdCde9jTQ@mail.gmail.com> <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net> <CAD9ie-sRNyRd3TX2_9-MaW3R+Swgp2Lg0uyXoBwu5rGw8Jphfg@mail.gmail.com> <2F52A020-8C82-4593-97D7-BE4C252CADD8@lodderstedt.net> <CAD9ie-vVt47TdyhU1qiGL9CLgsQ3mriPJ0irkw7ddBsdwv8QLw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2KgTdaHeg5qo2vJ9LIof1yB7WO4>
Subject: Re: [OAUTH-WG] third party applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 15:07:34 -0000

> On 28. Aug 2020, at 16:56, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> Well, OAuth is not very useful in a monolithic application. No need for an interoperable protocol for that kind of application.

I don’t know why we need to make any assumptions about the application that uses OAuth. A lot of assumptions might turn out to be wrong. So if me make assumptions they must be relevant for the protocol design. 

So again, why is “independent” or “third-party” relevant for the protocol design? 

> 
> And in separating functions, you are creating separate trust domains. Yes, it is still all internal, but it enables a separation of concerns.
> ᐧ
> 
> On Fri, Aug 28, 2020 at 7:49 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> In my experience OAuth is used in 1st party scenarios as means to separate functions (e.g. central user management vs. different products) within the same trust domain thus enabling architectural flexibility. 
> 
> I would just remove any constraint on the kind of applications OAuth can be used for. I don’t see how this governs the protocol design.  
> 
> > On 28. Aug 2020, at 15:29, Dick Hardt <dick.hardt@gmail.com> wrote:
> > 
> > The driver in my opinion for first-party use of OAuth is to separate the trust domains so that the application is scoped in what it can do vs an application that has full access to all resources. I agree that third-party can indicate that internal use does not apply. How about the following?
> > 
> >    The OAuth 2.1 authorization framework enables an independent
> >    application to obtain limited access to an HTTP service, either on
> >    behalf of a resource owner by orchestrating an approval interaction
> >    between the resource owner and the HTTP service, or by allowing the
> >    application to obtain access on its own behalf.  This
> >    specification replaces and obsoletes the OAuth 2.0 Authorization
> >    Framework described in RFC 6749.
> > ᐧ
> > 
> > On Fri, Aug 28, 2020 at 3:02 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> > I agree. OAuth works for 3rd as well as 1st parties as well. 
> > 
> > > On 28. Aug 2020, at 05:26, Dima Postnikov <dima@postnikov.net> wrote:
> > > 
> > > Hi,
> > > 
> > > Can "third-party" term be removed from the specification?
> > > 
> > > The standard and associated best practices apply to other applications that act on behalf of a resource owner, too (internal, "first-party" and etc).
> > > 
> > > Regards,
> > > 
> > > Dima
> > > 
> > > The OAuth 2.1 authorization framework enables a third-party
> > > 
> > >    application to obtain limited access to an HTTP service, either on
> > >    behalf of a resource owner by orchestrating an approval interaction
> > >    between the resource owner and the HTTP service, or by allowing the
> > >    third-party application to obtain access on its own behalf.  This
> > >    specification replaces and obsoletes the OAuth 2.0 Authorization
> > >    Framework described in 
> > > RFC 6749.
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
> > 
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>