Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
William Mills <wmills_92105@yahoo.com> Wed, 06 February 2013 00:48 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4359321F8915 for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 16:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.741
X-Spam-Level:
X-Spam-Status: No, score=-1.741 tagged_above=-999 required=5 tests=[AWL=0.257, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_210=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-GS2Sgz0d9Y for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 16:48:35 -0800 (PST)
Received: from nm17-vm0.bullet.mail.bf1.yahoo.com (nm17-vm0.bullet.mail.bf1.yahoo.com [98.139.213.157]) by ietfa.amsl.com (Postfix) with SMTP id D52F321F8893 for <oauth@ietf.org>; Tue, 5 Feb 2013 16:48:34 -0800 (PST)
Received: from [98.139.215.143] by nm17.bullet.mail.bf1.yahoo.com with NNFMP; 06 Feb 2013 00:48:34 -0000
Received: from [98.139.212.231] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 06 Feb 2013 00:48:34 -0000
Received: from [127.0.0.1] by omp1040.mail.bf1.yahoo.com with NNFMP; 06 Feb 2013 00:48:34 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 314930.19599.bm@omp1040.mail.bf1.yahoo.com
Received: (qmail 28976 invoked by uid 60001); 6 Feb 2013 00:48:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1360111713; bh=SpV+P2kH/vWEgvUcFKirEiWpRyd5POJo7Ovu9nw/HS0=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=KUZCNGofYFylM/iGu3pgqhuAEndsluhrmOxQ7twhK1aDyUGyvLcu8/CzSC/wmMKS7r2LVXzEHBpw4C/yc47H8Cn5T1IBpzSdwYQWvITK2InjF10Hg3ygbcaln0DhMyVT+4Jv0KF+zvvbiCtaNcUdAkeerz7kHmF9P6T/IO28PSg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=eIMWUsc0JZbypK94T43aNZEt1vA5qr02NVx/kuAN4wKZtTe79fnQ9R7qrE78snzLLnd9nTAE/6IUguHQUi/89KNClyEPgq+WsPXr0+UZiowk6jF2NUWDtRp3tRhYNc1l+mhhZ45/ehtalF1/DcQOANliaYj/dSMh+E4TVFUIUn8=;
X-YMail-OSG: bvlLAIYVM1mNIidneNNdn7YnPG7JcvxEHJr2N0s2pC7JRzP S03hW9Ao7llxF8Tgmf8FDnUrb3ZePbzd7wCD3t.S1YnxfinLiydtLQ8xZCNW IDCENPvi99YorwSbXO5Ill2gfz6bf7QtCrFuutMCZYRYcnzwICNo46dOATOT vaqNGu2liYVafzhc94LZ0Op7nQZ.22ZQfWPSS4.zgXM4KWUc0kCTA7EAuPKA MectpeIF7M_h4rTrV2zS4XGNyCvYMeBJ7doid9OLmPOSEhMTYr3Hpjp4uyM4 3HZ.eSRlI09pqy.sJeQqsBMMgYzDi1uGiiGuKS0Q6eDjjEfOc1.D.4mthkby grmp8xGpfShwu8_YyJDBnALGAr2Z4P7czeY4Nd_4kOMTTTIWnYGDIlEfK6rm aDVIcyVZnTcRgX_flTStda6lOs8zIU1fxgZCrmsBwq9YeP0b5aF8D2VvnEQk PM2L7JYSdpK8u2JArVDOmQEQoWRHcIXgrwpqVfM6Lf0fIcGfaHV1la6Zuugo zrk7QH6vK6NJTHt4AKtQJo8M.6Q4zIEG4CklfG0eypluiBYFk7bDClmZbxzr FUyL0XmLhPsl9vikQxOm25HJ6PmGP9Ms4jz90ATIRUxzsvZsRI4QoGIyZVQO UY91KSsH8sn7QbhNoCU5yIzHGBRqX4XwqZ9aO4ml7VhPTjQ--
Received: from [209.131.62.145] by web31812.mail.mud.yahoo.com via HTTP; Tue, 05 Feb 2013 16:48:32 PST
X-Rocket-MIMEInfo: 001.001, V2h5IHVzZSBPQXV0aCB3aGVuIE9wZW5JRCBkb2VzIGV2ZXJ5dGhpbmcgdGhhdCBPQXV0aCBjYW4gZG8gYXMgYW4gYXV0aGVudGljYXRpb24gbWV0aG9kIGFuZCBkb2VzIGEgZmV3IHRoaW5ncyBtdWNoIGJldHRlcj8KClNwZWNpZmljYWxseSBPQXV0aCBsYWNrcyBhbnkgZGVmaW5lZCB3YXkgdG86CgotZmVlZCBiYWNrIGFueSBhZGRpdGlvbmFsIGluZm9ybWF0aW9uIGxpa2UgdGhlIHJlYWwgdXNlciBJRCAoYXMgb3Bwb3NlZCB0byB3aGF0IHRoZSBlbnRlcmVkKQotYm91bmQgYW4gYXV0aGVudGljYXRpb24gZXYBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.133.504
References: <CAJV9qO_J1-AhGB=XST0R-kwAd-9hjUbCJ4ieBPoE_OMe760mqg@mail.gmail.com> <73B7EC23-AA93-42EE-B3EB-35BA1B82558F@ve7jtb.com> <511175AA.9030301@gmail.com> <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com> <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A9483E7B3D@BY2PRD0411MB441.namprd04.prod.outlook.com>
Message-ID: <1360111712.54487.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Tue, 05 Feb 2013 16:48:32 -0800
From: William Mills <wmills_92105@yahoo.com>
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>, Tim Bray <twbray@google.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A9483E7B3D@BY2PRD0411MB441.namprd04.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1458549034-106740509-1360111712=:54487"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 00:48:36 -0000
Why use OAuth when OpenID does everything that OAuth can do as an authentication method and does a few things much better? Specifically OAuth lacks any defined way to: -feed back any additional information like the real user ID (as opposed to what the entered) -bound an authentication event in time -provide any form of additional SSO payload like a display name for the user there's probably other things. It'll mostly work but there are things it doesn't do. Could you solve some of the rest of this with token introspection or a user API that the RP could use to fetch user info, sure, but why rebuild OpenID when OpenID exists? -bill ________________________________ From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> To: Tim Bray <twbray@google.com>; William Mills <wmills_92105@yahoo.com> Cc: "oauth@ietf.org WG" <oauth@ietf.org> Sent: Tuesday, February 5, 2013 2:27 PM Subject: RE: [OAUTH-WG] Why OAuth it self is not an authentication framework ? I think this is becoming a largely academic / philosophical argument by this time. The people who designed OAuth will likely point out that it was conceptualized as an authorization protocol to enable a RO to delegate access to a client to access its protected resources on some RS. And of course this is the history of it. And the RO and end-user were typically the same entity. But get caught up in what it was envisioned to do vs. real life use cases that OAuth can solve (and is solving) beyond its initial use cases misses the point … because OAuth is gaining traction in the enterprise and will be used in all different sorts of ways, including authentication. This is especially true of RESTful APIs within an enterprise where the RO and end-user are *not* the same: e.g. RO=enterprise and end-user=employee. In this model the end-user is not authorizing anything when their client requests a token from the AS … they authenticate to the AS and the client gets an AT, which will likely be profiled by most enterprise deployments to look something like an OIDC id_token. The AT will be presented to the RS which will examine the claims (user identity, LOA, etc.) and make authorization decisions based on business logic. The AT has not authorized the user to do anything, it has only made an assertion that the user has been authenticated by the AS (sort of sounds a lot like an IdP now). All this talked of OAuth being authorization and not authentication was extremely confusing to me when I first started looking at OAuth for my use cases, and I think at some point the authors of OAuth are going to have to recognize that their baby has grown up to be multi-faceted (and I mean this as a complement). The abstractions left in the OAuth spec (while some have claimed of the lack of interoperability it will cause) will also enable it to be used in ways possibly still not envisioned by any of us. I think as soon as we can stop trying to draw the artificial line around OAuth being “an authorization protocol” the better things will be. I like to say that they authors had it right when they named it “OAuth” and not “OAuthR” J -adam From:oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Tim Bray Sent: Tuesday, February 05, 2013 3:28 PM To: William Mills Cc: oauth@ietf.org WG Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ? OIDC seems about the most plausible candidate for a “good general solution” that I’m aware of. -T On Tue, Feb 5, 2013 at 1:22 PM, William Mills <wmills_92105@yahoo.com> wrote: There are some specific design mis-matches for OAuth as an authentication protocol, it's not what it's designed for and there are some problems you will run into. Some have used it as such, but it's not a good general solution. -bill ________________________________ From:Paul Madsen <paul.madsen@gmail.com> To: John Bradley <ve7jtb@ve7jtb.com> Cc: "oauth@ietf.org WG" <oauth@ietf.org> Sent: Tuesday, February 5, 2013 1:12 PM Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ? why pigeonhole it? OAuth can be deployed with no authz semantics at all (or at least as little as any authn mechanism), e.g client creds grant type with no scopes I agree that OAuth is not an *SSO* protocol. On 2/5/13 3:36 PM, John Bradley wrote: OAuth is an Authorization protocol as many of us have pointed out. > >The post is largely correct and based on one of mine. > >John B. > >On 2013-02-05, at 12:52 PM, Prabath Siriwardena <prabath@wso2.com> wrote: > >FYI and for your comments.. >> >>http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html >> >> >>Thanks & Regards, >>Prabath >> >>Mobile : +94 71 809 6732 >>http://blog.facilelogin.com/ >>http://rampartfaq.com/ >>_______________________________________________ >>OAuth mailing list >>OAuth@ietf.org >>https://www.ietf.org/mailman/listinfo/oauth > > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Why OAuth it self is not an authentica… Prabath Siriwardena
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Justin Richer
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Paul Madsen
- Re: [OAUTH-WG] Why OAuth it self is not an authen… William Mills
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Tim Bray
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Lewis Adam-CAL022
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… William Mills
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Lewis Adam-CAL022
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Nat Sakimura