Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
Tim Bray <twbray@google.com> Tue, 05 February 2013 21:28 UTC
Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E496821F8691 for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 13:28:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHXVSAP6UPlb for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 13:28:04 -0800 (PST)
Received: from mail-ia0-x22c.google.com (ia-in-x022c.1e100.net [IPv6:2607:f8b0:4001:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id BA72721F8596 for <oauth@ietf.org>; Tue, 5 Feb 2013 13:28:04 -0800 (PST)
Received: by mail-ia0-f172.google.com with SMTP id u8so692982iag.17 for <oauth@ietf.org>; Tue, 05 Feb 2013 13:28:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Om6Eyc5eQuJZwhzvdbD6aqtDbxpOL6zDjClochODCUE=; b=EaeuUrHt/7t6e8XVQeKmuzqGI6qhAFJR4HN7aZdOLIEVTbmBFBmRGbceDA5FR4UASH XHz4KePMfNH2iCOWUeBWHOY3/bTlRk/Im+aHU5CZuByXUA+6lBwwWE0PlUM8/lIF5/F7 EHEuunXYvUbVnGEF6auF+qeXjqBaCEOIFoeWfiBAt6Vg7/He+hXesUpHOmzDFFqK9UwI BKbS/ewvBjAK6fx/MH/IA8ZBWmqY/h8mvkp++DFAXuAWkFyV3FIi/xIrSxAAaRvV+sKq HgaOSROMHEkvDZ180bip2FGfD31HyeLEHu1lUD7L6edbgqBce/fMCZ3zMGyq3NlTJMr5 fSrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=Om6Eyc5eQuJZwhzvdbD6aqtDbxpOL6zDjClochODCUE=; b=pAkB90uqb3Oh/xrW3i3sBRt14/SdyPE/m6FU1am3TcOCMj7K8ztij83gDPOKkFXxd+ ELVWB08n9V4QzG6CzSUFX5IGUWQeIHGC+Mzhwlg5ht+9DYHXMlDb4pYBfCrqYQtw8nao EQhJqthRs7bfdmOfbwBdyv8MdrlMB94lUlmMKaHsktXiGnyNHpLDkng3iaKXRN7PlSMX oNQnR1rD3sY1ohRXZUyJrq7kBmVCOXQEV79wEtMtmFCALJagc1MI/kFuUKU3Fos8zL07 t+m33bKgoK+v9hyPzdyBS2BA31kaaEbcx1gb/51nbBkEFWM1LwllA6bjf+IZ0cYjqx61 3WFQ==
X-Received: by 10.50.189.193 with SMTP id gk1mr954679igc.87.1360099684190; Tue, 05 Feb 2013 13:28:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.63.11 with HTTP; Tue, 5 Feb 2013 13:27:34 -0800 (PST)
In-Reply-To: <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com>
References: <CAJV9qO_J1-AhGB=XST0R-kwAd-9hjUbCJ4ieBPoE_OMe760mqg@mail.gmail.com> <73B7EC23-AA93-42EE-B3EB-35BA1B82558F@ve7jtb.com> <511175AA.9030301@gmail.com> <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com>
From: Tim Bray <twbray@google.com>
Date: Tue, 05 Feb 2013 13:27:34 -0800
Message-ID: <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com>
To: William Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary="14dae93410d3890b5004d500e236"
X-Gm-Message-State: ALoCoQms3BltgDOWzsE7DxeLV+vSOjpBXIoNxpHC1JeQdqDkLf2IOWEZjp1w3vQffxO8gY01IlFFsjQBSyVy92IRTvVEJDj00vhNAu1cwWqU3OrPEQ6baKf4ZBxtfi2iJOFgm8xUekv09CS7GQ4Y8Lz0RbYpW53MAA/0FNAfJL/fxJ8+3H3fHt0mbXGrABXjmtrX0POktrMm
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 21:28:06 -0000
OIDC seems about the most plausible candidate for a “good general solution” that I’m aware of. -T On Tue, Feb 5, 2013 at 1:22 PM, William Mills <wmills_92105@yahoo.com>wrote: > There are some specific design mis-matches for OAuth as an authentication > protocol, it's not what it's designed for and there are some problems you > will run into. Some have used it as such, but it's not a good general > solution. > > -bill > > ------------------------------ > *From:* Paul Madsen <paul.madsen@gmail.com> > *To:* John Bradley <ve7jtb@ve7jtb.com> > *Cc:* "oauth@ietf.org WG" <oauth@ietf.org> > *Sent:* Tuesday, February 5, 2013 1:12 PM > *Subject:* Re: [OAUTH-WG] Why OAuth it self is not an authentication > framework ? > > why pigeonhole it? > > OAuth can be deployed with no authz semantics at all (or at least as > little as any authn mechanism), e.g client creds grant type with no scopes > > I agree that OAuth is not an *SSO* protocol. > > On 2/5/13 3:36 PM, John Bradley wrote: > > OAuth is an Authorization protocol as many of us have pointed out. > > The post is largely correct and based on one of mine. > > John B. > > On 2013-02-05, at 12:52 PM, Prabath Siriwardena <prabath@wso2.com> wrote: > > FYI and for your comments.. > > > http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html > > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com/ > http://rampartfaq.com/ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Why OAuth it self is not an authentica… Prabath Siriwardena
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Justin Richer
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Paul Madsen
- Re: [OAUTH-WG] Why OAuth it self is not an authen… William Mills
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Tim Bray
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Lewis Adam-CAL022
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… William Mills
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Lewis Adam-CAL022
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Nat Sakimura