IETF Logo Mail Archive

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

Tim Bray <twbray@google.com> Tue, 05 February 2013 21:28 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E496821F8691 for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 13:28:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHXVSAP6UPlb for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2013 13:28:04 -0800 (PST)
Received: from mail-ia0-x22c.google.com (ia-in-x022c.1e100.net [IPv6:2607:f8b0:4001:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id BA72721F8596 for <oauth@ietf.org>; Tue, 5 Feb 2013 13:28:04 -0800 (PST)
Received: by mail-ia0-f172.google.com with SMTP id u8so692982iag.17 for <oauth@ietf.org>; Tue, 05 Feb 2013 13:28:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Om6Eyc5eQuJZwhzvdbD6aqtDbxpOL6zDjClochODCUE=; b=EaeuUrHt/7t6e8XVQeKmuzqGI6qhAFJR4HN7aZdOLIEVTbmBFBmRGbceDA5FR4UASH XHz4KePMfNH2iCOWUeBWHOY3/bTlRk/Im+aHU5CZuByXUA+6lBwwWE0PlUM8/lIF5/F7 EHEuunXYvUbVnGEF6auF+qeXjqBaCEOIFoeWfiBAt6Vg7/He+hXesUpHOmzDFFqK9UwI BKbS/ewvBjAK6fx/MH/IA8ZBWmqY/h8mvkp++DFAXuAWkFyV3FIi/xIrSxAAaRvV+sKq HgaOSROMHEkvDZ180bip2FGfD31HyeLEHu1lUD7L6edbgqBce/fMCZ3zMGyq3NlTJMr5 fSrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=Om6Eyc5eQuJZwhzvdbD6aqtDbxpOL6zDjClochODCUE=; b=pAkB90uqb3Oh/xrW3i3sBRt14/SdyPE/m6FU1am3TcOCMj7K8ztij83gDPOKkFXxd+ ELVWB08n9V4QzG6CzSUFX5IGUWQeIHGC+Mzhwlg5ht+9DYHXMlDb4pYBfCrqYQtw8nao EQhJqthRs7bfdmOfbwBdyv8MdrlMB94lUlmMKaHsktXiGnyNHpLDkng3iaKXRN7PlSMX oNQnR1rD3sY1ohRXZUyJrq7kBmVCOXQEV79wEtMtmFCALJagc1MI/kFuUKU3Fos8zL07 t+m33bKgoK+v9hyPzdyBS2BA31kaaEbcx1gb/51nbBkEFWM1LwllA6bjf+IZ0cYjqx61 3WFQ==
X-Received: by 10.50.189.193 with SMTP id gk1mr954679igc.87.1360099684190; Tue, 05 Feb 2013 13:28:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.63.11 with HTTP; Tue, 5 Feb 2013 13:27:34 -0800 (PST)
In-Reply-To: <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com>
References: <CAJV9qO_J1-AhGB=XST0R-kwAd-9hjUbCJ4ieBPoE_OMe760mqg@mail.gmail.com> <73B7EC23-AA93-42EE-B3EB-35BA1B82558F@ve7jtb.com> <511175AA.9030301@gmail.com> <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com>
From: Tim Bray <twbray@google.com>
Date: Tue, 05 Feb 2013 13:27:34 -0800
Message-ID: <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com>
To: William Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary="14dae93410d3890b5004d500e236"
X-Gm-Message-State: ALoCoQms3BltgDOWzsE7DxeLV+vSOjpBXIoNxpHC1JeQdqDkLf2IOWEZjp1w3vQffxO8gY01IlFFsjQBSyVy92IRTvVEJDj00vhNAu1cwWqU3OrPEQ6baKf4ZBxtfi2iJOFgm8xUekv09CS7GQ4Y8Lz0RbYpW53MAA/0FNAfJL/fxJ8+3H3fHt0mbXGrABXjmtrX0POktrMm
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 21:28:06 -0000

OIDC seems about the most plausible candidate for a “good general solution”
that I’m aware of.   -T

On Tue, Feb 5, 2013 at 1:22 PM, William Mills <wmills_92105@yahoo.com>wrote:

> There are some specific design mis-matches for OAuth as an authentication
> protocol, it's not what it's designed for and there are some problems you
> will run into.  Some have used it as such, but it's not a good general
> solution.
>
> -bill
>
>   ------------------------------
> *From:* Paul Madsen <paul.madsen@gmail.com>
> *To:* John Bradley <ve7jtb@ve7jtb.com>
> *Cc:* "oauth@ietf.org WG" <oauth@ietf.org>
> *Sent:* Tuesday, February 5, 2013 1:12 PM
> *Subject:* Re: [OAUTH-WG] Why OAuth it self is not an authentication
> framework ?
>
>  why pigeonhole it?
>
> OAuth can be deployed with no authz semantics at all (or at least as
> little as any authn mechanism), e.g client creds grant type with no scopes
>
> I agree that OAuth is not an *SSO* protocol.
>
>  On 2/5/13 3:36 PM, John Bradley wrote:
>
> OAuth is an Authorization protocol as many of us have pointed out.
>
>  The post is largely correct and based on one of mine.
>
>  John B.
>
>  On 2013-02-05, at 12:52 PM, Prabath Siriwardena <prabath@wso2.com> wrote:
>
> FYI and for your comments..
>
>
> http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html
>
> Thanks & Regards,
> Prabath
>
>  Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com/
> http://rampartfaq.com/
>  _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email