[OAUTH-WG] Reason why no user identifier?
Jim Pravetz <jdp@cayosystems.com> Sat, 11 September 2010 01:02 UTC
Return-Path: <jpravetz@cayosystems.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E58943A6948 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 18:02:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.118
X-Spam-Level:
X-Spam-Status: No, score=-0.118 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0T4GD2CbsQbl for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 18:02:42 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 118FB3A6940 for <oauth@ietf.org>; Fri, 10 Sep 2010 18:02:42 -0700 (PDT)
Received: by iwn3 with SMTP id 3so3231783iwn.31 for <oauth@ietf.org>; Fri, 10 Sep 2010 18:03:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.190.203 with SMTP id dj11mr1860269ibb.93.1284166988486; Fri, 10 Sep 2010 18:03:08 -0700 (PDT)
Sender: jpravetz@cayosystems.com
Received: by 10.231.158.83 with HTTP; Fri, 10 Sep 2010 18:03:08 -0700 (PDT)
X-Originating-IP: [76.126.245.192]
Date: Fri, 10 Sep 2010 18:03:08 -0700
X-Google-Sender-Auth: fy88AbrXIr7qL9UlQMnpKCQYUzk
Message-ID: <AANLkTimaXNz9tcjRuDULx07n72U20tXBc8pw6NuDS_vE@mail.gmail.com>
From: Jim Pravetz <jdp@cayosystems.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] Reason why no user identifier?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2010 01:04:29 -0000
I'm curious and would appreciate some background as to why there is no user identifier associated with tokens (access, refresh, or authorization code)? It seems so common to use identifiers, and convenient, that this is a surprise. In contrast, the spec does define a client identifier. In my use case I have a client (native application) that stores records retrieved from a server, for one or more individuals (i.e. I maintain credentials for multiple users). Without a user identifier, it would seem that user identification would have to be retrieved from data returned from the protected resource, and it seems plausible that existing protocols might not have this capability. It would also seem more efficient to be able to determine if a user already has a local (on client) credential without going through the full process of getting an access token and retrieving a protected resource. For instance, if a user initiates an enrollment process the process could be stopped early if a token for a userid is already possessed. I would think the protected resource server would also benefit from a user identifier. At a minimum it would provide useful logging information for failed login attempts, and perhaps could be used in risk analysis. Apologies if this is an old topic or if I missed the explanation somewhere. Regards, Jim
- [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? David Recordon