IETF Logo Mail Archive

Re: [OAUTH-WG] Authentication

Sergey Beryozkin <sberyozkin@gmail.com> Thu, 04 September 2014 15:43 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D841A8983 for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 08:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8x06CxCq4ClV for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 08:43:11 -0700 (PDT)
Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1680A1A892B for <oauth@ietf.org>; Thu, 4 Sep 2014 08:43:10 -0700 (PDT)
Received: by mail-we0-f180.google.com with SMTP id w61so10458534wes.39 for <oauth@ietf.org>; Thu, 04 Sep 2014 08:43:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=YL2fS8hID9qCEYuwngpkszhxG44yuid2v/9WGzrayeE=; b=0OtqPp0ILHknKUCgWtj6Cg1JDA1tb1lRvPThV/kYSOPXMBQCY/RUD0mhjQuY+qXXEH hWHm1D8qRGafw8Ns2ouz+xfPKYZS/IsGg1umqKFhXkwLFvpurwIrodhDss4qTVR4gQvz KEusDmVFysE4IjIJ3wz5W/OnLGj70dEY6yhGoJC952Gagj2s17LyJfsRQ6qUp9YWEwAr NDVhfgvgMhxdvjifF9akoj3gRF/pXLKbH1msC49NHQgPeWssALOHAcbbKhNl1mkDiZAC YXpdyuUfAA/csfcIDi02CSbKj8pBd4/N1l9DlH690G1MDnauJHFvh2ofnJGlmRtR80rQ xrkg==
X-Received: by 10.180.86.33 with SMTP id m1mr6638888wiz.11.1409845389459; Thu, 04 Sep 2014 08:43:09 -0700 (PDT)
Received: from [192.168.2.7] ([109.255.231.6]) by mx.google.com with ESMTPSA id hi4sm19752347wjb.46.2014.09.04.08.43.08 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Sep 2014 08:43:08 -0700 (PDT)
Message-ID: <54088888.7000502@gmail.com>
Date: Thu, 04 Sep 2014 16:43:04 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAOtESJc2rK57rUdUSnp00aCA6O0u=rxgoafotrzMowaPW40ZUA@mail.gmail.com> <E8DED595-8D63-4906-93B0-220B185D8464@mitre.org>
In-Reply-To: <E8DED595-8D63-4906-93B0-220B185D8464@mitre.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/KIgPsQQk5_VA-VTRycBlohPgYZE
Subject: Re: [OAUTH-WG] Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 15:43:19 -0000

Hi Justin


On 04/09/14 13:15, Richer, Justin P. wrote:
> Neither of these are authentication (they don't tell the client or business logic server who the user is or if they're still there), they're authorization and they're both well within the scope  of OAuth.
>
> The first one is a redirect flow, that actually works (in OAuth) like this:
>
> 1) Clients calls business logic server (in OAuth, the Protected Resource)
> 2) Server detects no access token, sends an error response to the client
> 3) Client needs to send the user in a browser to the Authorization Server
> 4) Authorization server prompts the user (not the client) to authenticate and authorize the client
> 5) Authorization server redirects back to the client with either the token (if you're doing implicit flow, inside of a browser) or something the client can use to get a token (authorization code flow)
> 6) Client gets the token and calls the business logic server with said token
>
> In your second scenario, you're really doing the Resource Owner Password flow defined in OAuth. This is generally a bad idea because it exposes the client to the user's credentials and limits you to username/password. The flow is defined mostly as a way to help bridge legacy applications into the OAuth world.

That was a client credentials, right ? And in the client credentials 
case a (legacy) client can effectively authenticate using whatever 
credentials it has

Thanks, Sergey

>
>
> If you actually do want authentication (i.e., the client knowing who the user is) on top of this authorized call to the business logic service, then you'll need an identity API, which is what OpenID Connect provides in a well-defined well-used standard.
>
>   -- Justin
>
>
> On Sep 4, 2014, at 5:30 AM, Frizz <frizzthecat@googlemail.com> wrote:
>
>> Hello there,
>>
>> I have a question regarding Authentication:
>>
>> The following two scenarios, are they typical use cases for OAuth? Or OpenId-Connect? Or something completely different?
>>
>> Flow (A) would be like this:
>> (1) Client calls Business Logic Server
>> (2) Server detects there’s no Access Token in HTTP headers
>> (3) Server redirects to *some* Authentication Server
>> (4) Authentication Server challenges Client for Username/Password
>> (5) Client (now with valid Access Token) is redirected to Business Logic Server and completes operation
>>
>> Flow (B) would look like this:
>> (1) Client directly calls Authentication Server (kinda explicit Login call) with Username/Password and gets an Access Token in return
>> (2) Client uses this Access Token for all calls to the Business Logic Server
>>
>> cheers,
>> Frizz
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email