Re: [OAUTH-WG] On the ease of writing an authorization server
David Recordon <recordond@gmail.com> Tue, 15 June 2010 15:53 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 053343A68BA for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 08:53:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.413
X-Spam-Level:
X-Spam-Status: No, score=-1.413 tagged_above=-999 required=5 tests=[AWL=-0.303, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 698kFfVEahhO for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 08:53:13 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 033793A68A5 for <oauth@ietf.org>; Tue, 15 Jun 2010 08:53:12 -0700 (PDT)
Received: by vws9 with SMTP id 9so6892080vws.31 for <oauth@ietf.org>; Tue, 15 Jun 2010 08:53:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9WeV4N38jfyLFM+99VqTnffnsnTdsFBkrw9qmXenZvY=; b=MTOLu5MSYCXstBfEYxrZqwFbc+wYVqQlemxWHjGGuavUY/YNWBj6G7oeDfMil5XvIe uCdKoO3pxFPDKevwL+3B53RuzcHwWUZhcxZjafMi+ktnAh1f+X9jvWwhsKcYCNsJTsC8 akTnSVXrbdFixbb8IbdjM18fV7dcJF74ow/RE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=qmLVD7CbFH+yp4sFcDA81f59bq9WpY8gtN1R9dfzaXVJLpfUMRPtxlIpL2L1R/4isr RMcTw7JAlxu8XCYczwim6U8NTYUtl0jgIRCACSFh6uiQx9gFSJjPOYJG9pkpNDwPbLym SO6+7pnwHwuUywIt+8SmDm9C9yBgNiZj6lpBU=
MIME-Version: 1.0
Received: by 10.224.46.228 with SMTP id k36mr3482870qaf.192.1276617188613; Tue, 15 Jun 2010 08:53:08 -0700 (PDT)
Received: by 10.231.192.4 with HTTP; Tue, 15 Jun 2010 08:53:08 -0700 (PDT)
In-Reply-To: <AANLkTimcxhzhOAiKTN8rZIJRw3LkNmRu5wYOa0HnVrsO@mail.gmail.com>
References: <AANLkTimcxhzhOAiKTN8rZIJRw3LkNmRu5wYOa0HnVrsO@mail.gmail.com>
Date: Tue, 15 Jun 2010 08:53:08 -0700
Message-ID: <AANLkTimqM9Y_BjgzF3Oy6ccADD_VTNIzwvZiWvK39vGp@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Andrew Arnott <andrewarnott@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] On the ease of writing an authorization server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 15:53:14 -0000
I frame this goal a little differently. When there is a decision about where to place needed complexity, we should place as little as possible of it on the client. This means that the AS is more complex, but I think that is the correct decision. --David On Tue, Jun 15, 2010 at 8:19 AM, Andrew Arnott <andrewarnott@gmail.com> wrote: > I've read a few comments on this DL that a primary goal is that writing an > OAuth 2.0 client should be very easy. I think we're doing well here. I > know this ease for the client necessarily comes at the expense of some > complexity on the server. As has also been pointed out recently (by Eran, I > believe) the AS' job is considerably more complex now than it was in OAuth > 1.0. > > While overall this may be a win, it also seems optimized for the few large > service providers that are driving the spec (Facebook, Twitter, etc.). They > definitely have the resources and understanding that a large investment in > security is important. But as more web sites across the Internet drop using > user passwords in favor of federated identity and/or OpenID-type protocols, > the only way these sites can delegate access to user data will be to use a > protocol like OAuth 2.0 since user passwords will no longer apply. > Therefore very many web sites will become OAuth 2.0 resource servers, and > likely given their size and requirements will be their on authorization > server as well. Now we have a complex server-side protocol that may be > "too" complex for the average-sized web site to implement correctly and > confidently. > > So my $0.02 here is that we try to keep the AS side simple as well where > possible. And invite responses from others. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] On the ease of writing an authorizatio… Andrew Arnott
- Re: [OAUTH-WG] On the ease of writing an authoriz… David Recordon
- Re: [OAUTH-WG] On the ease of writing an authoriz… Eran Hammer-Lahav
- Re: [OAUTH-WG] On the ease of writing an authoriz… Andrew Arnott