Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

John Bradley <ve7jtb@ve7jtb.com> Wed, 06 February 2013 16:21 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3222721F879E for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 08:21:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.148
X-Spam-Level:
X-Spam-Status: No, score=-3.148 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_210=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3YAc0VuIITB for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 08:21:56 -0800 (PST)
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by ietfa.amsl.com (Postfix) with ESMTP id 616F921F8715 for <oauth@ietf.org>; Wed, 6 Feb 2013 08:21:55 -0800 (PST)
Received: by mail-ob0-f169.google.com with SMTP id ta14so1648605obb.0 for <oauth@ietf.org>; Wed, 06 Feb 2013 08:21:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=3dYtosZyuZo8zqG+Hb3vZz1Hy89DoR6tFd86sUT0FzQ=; b=bg2yGxoIU3lX8MSR+FyUWjNx5AC0uqkaiLrYj44lYqS1DFQfI5MW+ecBLWgVUTTIxr rRCyq3x7INy2MZ44/YYl3kL9/S+0IGjZs6U3UO7yNS/vwaM4FHjSk5CJ8OjMio7oCHZv apVI9hdPWLmDDSEXOo6L45lqUXDFQia0TO5GZCu52kBEcVbD3m2JJkhRlp+oDrg152Hl p5LLMln6cor1ZMaCn8P348cCwdsWTVAnaQez6EFFnCJ3jp1prS+FSTGTOE5d7QlKCepa Z+MTdYC2lvWg60uxmvCD7Ph8wweNPlVq1Q//ddzCMyyO9pH32zW0p21BydqjtQfWehk5 aeqQ==
X-Received: by 10.60.32.84 with SMTP id g20mr4622536oei.42.1360167714779; Wed, 06 Feb 2013 08:21:54 -0800 (PST)
Received: from [10.37.15.80] ([96.8.44.21]) by mx.google.com with ESMTPS id dl6sm29747856obb.5.2013.02.06.08.21.51 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Feb 2013 08:21:53 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_2029DE69-EFBF-41E5-A6CB-1B623885D36E"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A9483E7E50@BY2PRD0411MB441.namprd04.prod.outlook.com>
Date: Wed, 06 Feb 2013 09:21:48 -0700
Message-Id: <E52E0947-31AE-4F33-BE7E-4D3D6E8D2FFB@ve7jtb.com>
References: <CAJV9qO_J1-AhGB=XST0R-kwAd-9hjUbCJ4ieBPoE_OMe760mqg@mail.gmail.com> <73B7EC23-AA93-42EE-B3EB-35BA1B82558F@ve7jtb.com> <511175AA.9030301@gmail.com> <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com> <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A9483E7B3D@BY2PRD0411MB441.namprd04.prod.outlook.com> <1360111712.54487.YahooMailNeo@web31812.mail.mud.yahoo.com> <59E470B10C4630419ED717AC79FCF9A9483E7E50@BY2PRD0411MB441.namprd04.prod.outlook.com>
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQm92hoKcp5/dVg+LRxKVi4XS6Ztl+s1x6xbbu4c9Sphzr+O+8lkMqT2Y1P3r2JiUWBmz2J6
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 16:21:59 -0000

Adam,

We have made some changes in the latest draft to address some input from Google that I think may also address your need to using the id_token in an assertion or possibly as an access token to a federated RS.

I can go over it with you if you like.

John B.

On 2013-02-06, at 9:05 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> wrote:

> Hi Bill,
>  
> My reason for using OAuth rather than OIDC is because the id_token in OIDC is audience restricted to the client.  This was clearly intended for WebSSO / authentication to a client running on a web server.  It does not help the case where the user of a RESTful native client want to authenticate to a RESTful web service. 
>  
> I agree that OAuth lacks a “defined” way to communicate what is in the AT (as OAuth does not define the content of the AT), but within an enterprise domain this is easy to solve by profiling.  And in any implementation of OAuth on the Internet, the AT must at some level identify the user to the RS.  Otherwise how else would the RS know who’s protected resources the client is trying to access?  Now whether the RS learns that through introspection or by parsing a JWT-structured AT is of course not defined.  But at the end of the day, the AT definitely (in all cases that I can think of) identifies the user. 
>  
> I am open minded to using OIDC if in the future if the client can request an id_token that is audience restricted to the RS it is going to communicate.  In other words, yes I agree that OIDC is the preferred mechanism for performing “user authentication to a client,” but I also argue that OAuth is the best method to perform “user authentication to an RS” (if you want to get your RS out of the password consumption business).  I am not at all advocating OAuth for authentication to a client. 
>  
> -adam
>  
> From: William Mills [mailto:wmills_92105@yahoo.com] 
> Sent: Tuesday, February 05, 2013 6:49 PM
> To: Lewis Adam-CAL022; Tim Bray
> Cc: "WG <oauth@ietf.org>"@il06exr02.mot.com
> Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
>  
> Why use OAuth when OpenID does everything that OAuth can do as an authentication method and does a few things much better?
>  
> Specifically OAuth lacks any defined way to:
>  
> -    feed back any additional information like the real user ID (as opposed to what the entered)
> -    bound an authentication event in time
> -    provide any form of additional SSO payload like a display name for the user
>  
> there's probably other things.
>  
> It'll mostly work but there are things it doesn't do.  Could you solve some of the rest of this with token introspection or a user API that the RP could use to fetch user info, sure, but why rebuild OpenID when OpenID exists?
>  
> -bill
>  
>  
> From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
> To: Tim Bray <twbray@google.com>; William Mills <wmills_92105@yahoo.com> 
> Cc: "oauth@ietf.org WG" <oauth@ietf.org> 
> Sent: Tuesday, February 5, 2013 2:27 PM
> Subject: RE: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
>  
> I think this is becoming a largely academic / philosophical argument by this time.  The people who designed OAuth will likely point out that it was conceptualized as an authorization protocol to enable a RO to delegate access to a client to access its protected resources on some RS.  And of course this is the history of it.  And the RO and end-user were typically the same entity.  But get caught up in what it was envisioned to do vs. real life use cases that OAuth can solve (and is solving) beyond its initial use cases misses the point … because OAuth is gaining traction in the enterprise and will be used in all different sorts of ways, including authentication. 
>  
> This is especially true of RESTful APIs within an enterprise where the RO and end-user are *not* the same: e.g. RO=enterprise and end-user=employee.  In this model the end-user is not authorizing anything when their client requests a token from the AS … they authenticate to the AS and the client gets an AT, which will likely be profiled by most enterprise deployments to look something like an OIDC id_token.  The AT will be presented to the RS which will examine the claims (user identity, LOA, etc.) and make authorization decisions based on business logic.  The AT has not authorized the user to do anything, it has only made an assertion that the user has been authenticated by the AS (sort of sounds a lot like an IdP now).
>  
> All this talked of OAuth being authorization and not authentication was extremely confusing to me when I first started looking at OAuth for my use cases, and I think at some point the authors of OAuth are going to have to recognize that their baby has grown up to be multi-faceted (and I mean this as a complement).  The abstractions left in the OAuth spec (while some have claimed of the lack of interoperability it will cause) will also enable it to be used in ways possibly still not envisioned by any of us.  I think as soon as we can stop trying to draw the artificial line around OAuth being “an authorization protocol” the better things will be.
>  
> I like to say that they authors had it right when they named it “OAuth” and not “OAuthR” J
>  
> -adam
>  
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Tim Bray
> Sent: Tuesday, February 05, 2013 3:28 PM
> To: William Mills
> Cc: oauth@ietf.org WG
> Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
>  
> OIDC seems about the most plausible candidate for a “good general solution” that I’m aware of.   -T
> On Tue, Feb 5, 2013 at 1:22 PM, William Mills <wmills_92105@yahoo.com> wrote:
> There are some specific design mis-matches for OAuth as an authentication protocol, it's not what it's designed for and there are some problems you will run into.  Some have used it as such, but it's not a good general solution.
>  
> -bill
>  
> From: Paul Madsen <paul.madsen@gmail.com>
> To: John Bradley <ve7jtb@ve7jtb.com> 
> Cc: "oauth@ietf.org WG" <oauth@ietf.org> 
> Sent: Tuesday, February 5, 2013 1:12 PM
> Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
>  
> why pigeonhole it? 
> 
> OAuth can be deployed with no authz semantics at all (or at least as little as any authn mechanism), e.g client creds grant type with no scopes
> 
> I agree that OAuth is not an *SSO* protocol.
> On 2/5/13 3:36 PM, John Bradley wrote:
> OAuth is an Authorization protocol as many of us have pointed out.
>  
> The post is largely correct and based on one of mine.
>  
> John B.
>  
> On 2013-02-05, at 12:52 PM, Prabath Siriwardena <prabath@wso2.com> wrote:
>  
> FYI and for your comments..
>  
> http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html
>  
> Thanks & Regards,
> Prabath
>  
> Mobile : +94 71 809 6732 
> http://blog.facilelogin.com/
> http://rampartfaq.com/
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>  
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>  
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth