IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Phil Hunt <phil.hunt@oracle.com> Thu, 24 July 2014 17:15 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2ADC1A064A for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 10:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEnvjUA7uoGd for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 10:15:49 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE3321A0444 for <oauth@ietf.org>; Thu, 24 Jul 2014 10:15:49 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s6OHFm09012572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Jul 2014 17:15:49 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6OHFl43012726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Jul 2014 17:15:48 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6OHFlkl007059; Thu, 24 Jul 2014 17:15:47 GMT
Received: from [31.133.145.238] (/31.133.145.238) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 24 Jul 2014 10:15:47 -0700
References: <201407221830.s6MIUYrf031075@outgoing.mit.edu> <2cc10b23a4238ec0c76087b09d1d290a@lodderstedt.net> <6859A770-F6D2-4481-BD5F-2E73779BC745@ve7jtb.com> <4E1F6AAD24975D4BA5B16804296739439ADDE116@TK5EX14MBXC294.redmond.corp.microsoft.com> <CABzCy2Ar_pJt30ctP6hQ47rpSUGMh-+rrYssWe+XFNY73dA_YQ@mail.gmail.com> <CAEayHENLvazYAcu==_3CM9x91DDqhHngtSarm4_qBu5Zf_-ipw@mail.gmail.com> <CAEayHENtujNPbVFYjO3iCN43R! V3AWdxKFrX4qhDgMwKz6VtGhw@mail.gmail.com> <B3031E2C-8F1E-4DEC-B739-2F2FFC349D39@lodderstedt.net> <B86C4C6C-AC24-45DF-A3B4-F8D1A88BC64A@ve7jtb.com> <d4b20f338a298530b4a3430386502d25@lodderstedt.net> <1E5B5066-E619-4965-B941-62C2CD72A37E@ve7jtb.com> <CABzCy2Dmms4MGTsuQkzu3uQGChLtNDKQREo1_S7UwfaW3hQnqA@mail.gmail.com> <CA+k3eCSiwB3pC5j+zFgrLHg7DdnWMjdJ7VVfY=NWbeY-3ndoyA@mail.gmail.com> <9dbf8c7384e341a08334a9ee093697f8@BLUPR03MB309.namprd03.prod.outlook.com> <CA+k3eCTFpOyM78r7NAY=LVbYgdYC5dXUP4ej9i1ZUT6m_rO8PQ@mail.gmail.com> <45D858DE-6F5E-46D4-828C-9C4C80C3AC2A@oracle.com! > <53D13898.9060701@redhat.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <53D13898.9060701@redhat.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <42DC0AD2-FF37-405B-B72B-DCD39DAF379F@oracle.com>
X-Mailer: iPhone Mail (11D257)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Thu, 24 Jul 2014 13:15:48 -0400
To: Bill Burke <bburke@redhat.com>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GQ-O-mxewXAoJAEcFNBiJY3GOWo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 17:15:51 -0000

My comments are not motivated in any way by my employer. The probably wish like you I would drop it. 

I am simply reporting what I see in the wild. 

Phil

> On Jul 24, 2014, at 12:47, Bill Burke <bburke@redhat.com> wrote:
> 
> 
> 
>> On 7/24/2014 10:30 AM, Phil Hunt wrote:
>> Horseshit.
> 
> Horseshit to your horseshit.
> 
>> Ian failed to mention that we’re responding to bad use of 6749 by
>> assuming receipt of access token == authentication.
>> 
>> The OAuth WG is not creating a new feature and we are not re-inventing
>> here. If anyone is, one could argue that would be OpenID —> at least in
>> the minds of the web developers. They don’t get why they have to use
>> OpenID at all.  Doesn’t OAuth already do this???
> 
> Maybe from your perspective.  From my perspective in the Java community at least, security for REST services is a cluster fuck.  Developers in the Java community are looking for answers.  For most of them, security is an afterthought done at the last minute.  They think OAuth will solve their RESTful security issues only to find that OAuth is just a framework not a protocol and delegates many difficult issues to underlying implementations.
> 
>> The working group is responding to an issue that the market has ALREADY
>> chosen to do all by itself without the presence of any additional
>> specification like A4C or for that matter OpenID.
>> 
>> The market is doing this because_ they are under the false assumption
>> that OAuth is doing authentication_ and that receipt of the access token
>> IS authentication. It is unbelievable how many developers think OAuth
>> stands for Open Authentication.  The specifications are clear. Yet, the
>> problem persists.
>> 
>> If a developer already thinks they have a solution that is good enough,
>> why would they go to another standards organization? They aren’t even
>> looking for an OpenID. They think they already have THE solution!  Which
>> is precisely why OpenID can’t address the issue by itself!  OpenID as an
>> authenticator *is* re-invenention.  Yes, OpenID as an IDP provider
>> standard is its own innovation (re-inventing SAML and many many other
>> protocols of the past), but within the realm of OAuth, yes it is
>> innovation in my opinion..
> 
> Ridiculous statements.  How does anything above justify the existence of A4C.  If developers already have their solutions, why would they give a shit about A4C?
> 
>> But keep in mind that these developers do NOT want an IDP architecture.
> 
> Says who?  You?  And what does an IDP architecture have to do with Open ID Connect or its use with OIDC?  You can still use a vanilla OAuth2 client library with an IDP that implements Open ID Connect.
> 
>> My point in producing the original draft was to show how simple the
>> correction could be — a few pages of clarifying text.
>> 
>> Since OpenID has been proposed as the simple solution, let me point out
>> why it is not for these developers: it is a specification that
>> incredibly complicates OAuth:
>> 
>>  * OpenID adds 6 response types to OAuth’s 2
>>  * OpenID adds 6 errors to OAuth’s 4
>>  * OpenID doubles the number of parameters
>>  * OpenID’s core specification is approximately NINETY THREE pages to
>>    6749’s 76 pages
> 
> Like many have said over and over, A4C is already covered by OpenID. The subset of A4C is already legal under OpenID.
> 
> 
> Besides, you actually think web developers care about reading some IETF specification?  From my 20+ years of developing middleware, developers do not read specifications!  They read the documentation and examples of the frameworks that implement these specifications.
> 
>> 
>> I’m not at all saying that OpenID is bad. If you want an IDP, its fine.
>>  But if all a client wants is authentication, they think why can’t I
>> just use RFC6749?
> 
> Yup.  Like I said before.  If the IDP implements OpenID Connect, there is nothing stopping a client just using vanilla OAuth.
> 
>> The people in the CIS audience were not aware of the facts, so of
>> course, they cheered against what appears to be a fork. That’s after all
>> how it was presented. In fact, Ian’s presentation sounds horribly
>> trivial and insensitive in its handling of this case.
>> 
>> The point is, NOT responding to this issue does not mean it goes away.
>> It gets worse. The market is already choosing to use OAuth for
>> authentication.
> 
> And OpenID Connect is OAUTH!
> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email