[OAUTH-WG] Redirect to STS
Pieter De Rycke <phdrycke@gmail.com> Mon, 22 August 2016 07:25 UTC
Return-Path: <phdrycke@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC65712B036 for <oauth@ietfa.amsl.com>; Mon, 22 Aug 2016 00:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7H4yrXeYuqci for <oauth@ietfa.amsl.com>; Mon, 22 Aug 2016 00:25:01 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8927E12B010 for <Oauth@ietf.org>; Mon, 22 Aug 2016 00:24:58 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id u134so46584555ywg.3 for <Oauth@ietf.org>; Mon, 22 Aug 2016 00:24:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=Hku9hzULfu2vnc0Wh7cMqLOPbVEx5+yFwXP5JwjGcxA=; b=gaBvXr4REuiOPCyj3+YzGd7GUup405S4C8snLU4eBfyFd4yfXvcMuOEQmGCz2GmAKN 944V7DXH1zsWlq8++93xOyczLKws5bCGJOUbcZQxc2J5OBr64JrC/Uu74F6B9VrkB2b4 P3FXXD7aeM7TYM3Wq+Z77P4u7mU/0NZweZbcqPD0aeSigs5F08A088n8pB1dduxEOlOi iTqwUP8eUwhvK/yUA75jc05V83obLzRh3S873rZorGyLCAG20ACiPjoz6Io4CmtIuIXs RPddWOzBGlC2T7debVD3Oe/eaUGPzioJjg4Q3jVQ8aLEb1JIqVOXeaqps7c5m/UHObsT S62g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Hku9hzULfu2vnc0Wh7cMqLOPbVEx5+yFwXP5JwjGcxA=; b=QGho6dseoDJ4WKGK0eCoUCXeph3NaYySGSE9AdOzl6yJ2w272Q8ukSvDLPb6HsXtQo 2tCBPZ3ot5KtzxzZ8hqXgY/6GxRdf9sOgM4KmQ2jXUa80WCfsCdrM2aZ0eYMpgGoWhnr snu5/MDcjJ3iNo2eEJIBM+vC0wEXDbrIDqA/AmEFX1FB0f3jse1ks988kSMlMV9aG0cR ALyDnKtAuEEHR2Y3oitqT3lkFDsiMEShZjC6oWJW9hKAsDvJSn/Gyxffq/F9q24RyRjB CPLRlXKiXiPbjU31mM+PXgnk+N7LsSSfPhUOnjiCl1zE+IPNVNZsuVlITH3bxlwQvQVs UNTg==
X-Gm-Message-State: AEkooutkaq/eDleRlfjkpJoKBFiSRe+3+Qai3au+kQ1S11HHu9xt7OrLQLdwVMpwby1RB21x8ecl/crZDES7hQ==
X-Received: by 10.13.214.214 with SMTP id y205mr15436968ywd.209.1471850697672; Mon, 22 Aug 2016 00:24:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.197.140 with HTTP; Mon, 22 Aug 2016 00:24:57 -0700 (PDT)
From: Pieter De Rycke <phdrycke@gmail.com>
Date: Mon, 22 Aug 2016 09:24:57 +0200
Message-ID: <CAAt8o2B-R3xeLGLqfUFV9ptc4P6hkE9bLbYJ5wVkxh3EqjiKbw@mail.gmail.com>
To: "Oauth@ietf.org" <Oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0758b2ff4e30053aa3f11c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AF4KUuoSlDpyPaP__NIUxBn_do4>
X-Mailman-Approved-At: Tue, 23 Aug 2016 08:13:41 -0700
Subject: [OAUTH-WG] Redirect to STS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 07:25:34 -0000
Hello, This might be a stupid question, but why is the redirect happening in OAuth2 spec (+ SAML previously) to the STS login page for cross domain SSO? Our marketing department is against this redirect as it means that users are jumping out of the e-commerce shopping flow. They would prefer a login mechanism in which the login page remains embedded in the e-commerce websites. Having flexible in login options is not necessary for us. We do not expect to move away from username/password anytime soon. We are thinking about an embedded login page, that does a HTTP POST to the STS (to have the cross domain SSO cookies), but render the login form within the ecommerce website. Was there any good reason why the OAuth2/SAML specs are redirecting to an STS hosted page, except flexibility in login options and the STS as trusted authentication system. We are considering such a custom solution, but at the same we would to be sure that we are not missing some important security aspects that might make our authentication solution vulnerable. Kind regards, Pieter
- [OAUTH-WG] Redirect to STS Pieter De Rycke