Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Tue, 05 February 2013 22:34 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE23321F8904 for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 14:34:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.167
X-Spam-Level:
X-Spam-Status: No, score=-3.167 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_210=0.6, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruLEVxV8djEc for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 14:34:14 -0800 (PST)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe003.messaging.microsoft.com [207.46.163.26]) by ietfa.amsl.com (Postfix) with ESMTP id 9A28A21F8900 for <oauth@ietf.org>; Tue, 5 Feb 2013 14:34:14 -0800 (PST)
Received: from mail71-co9-R.bigfish.com (10.236.132.244) by CO9EHSOBE028.bigfish.com (10.236.130.91) with Microsoft SMTP Server id 14.1.225.23; Tue, 5 Feb 2013 22:34:13 +0000
Received: from mail71-co9 (localhost [127.0.0.1]) by mail71-co9-R.bigfish.com (Postfix) with ESMTP id CA20FA0224 for <oauth@ietf.org>; Tue, 5 Feb 2013 22:34:13 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:192.160.210.14; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg02.am.mot-solutions.com; RD:ct11msg02.mot-solutions.com; EFVD:NLI
X-SpamScore: -25
X-BigFish: VPS-25(zzbb2dI98dI9371Ic89bh936eI1b0bIc857hzz1ee6h1de0h1202h1e76h1d1ah1d2ahzz1033IL177df4h17326ah8275bh8275dh18c673hz2fh2a8h683h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h1155h)
Received-SPF: pass (mail71-co9: domain of motorolasolutions.com designates 192.160.210.14 as permitted sender) client-ip=192.160.210.14; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg02.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.237.133; KIP:(null); UIP:(null); (null); H:BY2PRD0411HT003.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail71-co9 (localhost.localdomain [127.0.0.1]) by mail71-co9 (MessageSwitch) id 1360103652450158_32735; Tue, 5 Feb 2013 22:34:12 +0000 (UTC)
Received: from CO9EHSMHS032.bigfish.com (unknown [10.236.132.251]) by mail71-co9.bigfish.com (Postfix) with ESMTP id 6B9A92E008A for <oauth@ietf.org>; Tue, 5 Feb 2013 22:34:12 +0000 (UTC)
Received: from ct11msg02.am.mot-solutions.com (192.160.210.14) by CO9EHSMHS032.bigfish.com (10.236.130.42) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 5 Feb 2013 22:30:34 +0000
Received: from ct11msg02.am.mot-solutions.com (ct11vts03.am.mot.com [10.177.16.162]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r15Mda5Z021704 for <oauth@ietf.org>; Tue, 5 Feb 2013 17:39:36 -0500 (EST)
Received: from CO9EHSOBE038.bigfish.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r15MdZHS021688 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Tue, 5 Feb 2013 17:39:36 -0500 (EST)
Received: from mail197-co9-R.bigfish.com (10.236.132.235) by CO9EHSOBE038.bigfish.com (10.236.130.101) with Microsoft SMTP Server id 14.1.225.23; Tue, 5 Feb 2013 22:30:10 +0000
Received: from mail197-co9 (localhost [127.0.0.1]) by mail197-co9-R.bigfish.com (Postfix) with ESMTP id 17F8BB40432 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 5 Feb 2013 22:30:10 +0000 (UTC)
Received: from mail197-co9 (localhost.localdomain [127.0.0.1]) by mail197-co9 (MessageSwitch) id 1360103384875753_17074; Tue, 5 Feb 2013 22:29:44 +0000 (UTC)
Received: from CO9EHSMHS032.bigfish.com (unknown [10.236.132.250]) by mail197-co9.bigfish.com (Postfix) with ESMTP id CDC1054007B; Tue, 5 Feb 2013 22:29:44 +0000 (UTC)
Received: from BY2PRD0411HT003.namprd04.prod.outlook.com (157.56.237.133) by CO9EHSMHS032.bigfish.com (10.236.130.42) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 5 Feb 2013 22:27:13 +0000
Received: from BY2PRD0411MB441.namprd04.prod.outlook.com ([169.254.5.124]) by BY2PRD0411HT003.namprd04.prod.outlook.com ([10.255.128.38]) with mapi id 14.16.0263.000; Tue, 5 Feb 2013 22:27:12 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Tim Bray <twbray@google.com>, William Mills <wmills_92105@yahoo.com>
Thread-Topic: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
Thread-Index: AQHOA+fGJBeF9Xfhl02+J3AuR3qpvZhr1Efg
Date: Tue, 05 Feb 2013 22:27:12 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A9483E7B3D@BY2PRD0411MB441.namprd04.prod.outlook.com>
References: <CAJV9qO_J1-AhGB=XST0R-kwAd-9hjUbCJ4ieBPoE_OMe760mqg@mail.gmail.com> <73B7EC23-AA93-42EE-B3EB-35BA1B82558F@ve7jtb.com> <511175AA.9030301@gmail.com> <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com> <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com>
In-Reply-To: <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [150.130.48.53]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A9483E7B3DBY2PRD0411MB441_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%GOOGLE.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%YAHOO.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 22:34:16 -0000

I think this is becoming a largely academic / philosophical argument by this time.  The people who designed OAuth will likely point out that it was conceptualized as an authorization protocol to enable a RO to delegate access to a client to access its protected resources on some RS.  And of course this is the history of it.  And the RO and end-user were typically the same entity.  But get caught up in what it was envisioned to do vs. real life use cases that OAuth can solve (and is solving) beyond its initial use cases misses the point … because OAuth is gaining traction in the enterprise and will be used in all different sorts of ways, including authentication.

This is especially true of RESTful APIs within an enterprise where the RO and end-user are *not* the same: e.g. RO=enterprise and end-user=employee.  In this model the end-user is not authorizing anything when their client requests a token from the AS … they authenticate to the AS and the client gets an AT, which will likely be profiled by most enterprise deployments to look something like an OIDC id_token.  The AT will be presented to the RS which will examine the claims (user identity, LOA, etc.) and make authorization decisions based on business logic.  The AT has not authorized the user to do anything, it has only made an assertion that the user has been authenticated by the AS (sort of sounds a lot like an IdP now).

All this talked of OAuth being authorization and not authentication was extremely confusing to me when I first started looking at OAuth for my use cases, and I think at some point the authors of OAuth are going to have to recognize that their baby has grown up to be multi-faceted (and I mean this as a complement).  The abstractions left in the OAuth spec (while some have claimed of the lack of interoperability it will cause) will also enable it to be used in ways possibly still not envisioned by any of us.  I think as soon as we can stop trying to draw the artificial line around OAuth being “an authorization protocol” the better things will be.

I like to say that they authors had it right when they named it “OAuth” and not “OAuthR” ☺

-adam

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Tim Bray
Sent: Tuesday, February 05, 2013 3:28 PM
To: William Mills
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

OIDC seems about the most plausible candidate for a “good general solution” that I’m aware of.   -T
On Tue, Feb 5, 2013 at 1:22 PM, William Mills <wmills_92105@yahoo.com<mailto:wmills_92105@yahoo.com>> wrote:
There are some specific design mis-matches for OAuth as an authentication protocol, it's not what it's designed for and there are some problems you will run into.  Some have used it as such, but it's not a good general solution.

-bill

________________________________
From: Paul Madsen <paul.madsen@gmail.com<mailto:paul.madsen@gmail.com>>
To: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Cc: "oauth@ietf.org<mailto:oauth@ietf.org> WG" <oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Tuesday, February 5, 2013 1:12 PM
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

why pigeonhole it?

OAuth can be deployed with no authz semantics at all (or at least as little as any authn mechanism), e.g client creds grant type with no scopes

I agree that OAuth is not an *SSO* protocol.
On 2/5/13 3:36 PM, John Bradley wrote:
OAuth is an Authorization protocol as many of us have pointed out.

The post is largely correct and based on one of mine.

John B.

On 2013-02-05, at 12:52 PM, Prabath Siriwardena <prabath@wso2.com<mailto:prabath@wso2.com>> wrote:

FYI and for your comments..

http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html

Thanks & Regards,
Prabath

Mobile : +94 71 809 6732<tel:%2B94%2071%20809%206732>
http://blog.facilelogin.com/
http://rampartfaq.com/
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth