IETF Logo Mail Archive

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Warren Parad <wparad@rhosys.ch> Tue, 23 February 2021 23:14 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EA8A3A0FCA for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 15:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTt1IxYRyqOl for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 15:14:35 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C9FE3A0FC7 for <oauth@ietf.org>; Tue, 23 Feb 2021 15:14:35 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id f6so14078iop.11 for <oauth@ietf.org>; Tue, 23 Feb 2021 15:14:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WImEiMAangfyWPqGBxCL3R4QAySpXCB/a1Be3yznoRg=; b=dI07HrrgqBDr5yBEBVFP+6rDYHfkf6LOm0GeetiKsYtzQfepe3Whf9TZGOhPrQd4XU mFNFi6WcTfD/xDm1pZCpjKEaMR72hTxHpiigyAeCqNCCarMnNqLXA41vJ1iJzUFp8DDf kDdolPHJ8RXCFJUW0NSETJ479Oq+9Zk1yT4iVbaT20oJ2c9/A9ihUGvEVWAMY7i9YAwC UyJ3F5UwjNoqwXDMZCL3U//aD76mLu264lwdcfuFZdRDDk3/re4GrkcJ2slBEFQkl5Ch LDmqMvF8b/rToy4Z67sqlMsfDm5j9eCXZrG6xaH/I/5S28/xWA8FZY4h9mFAEwqrTZig KOVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WImEiMAangfyWPqGBxCL3R4QAySpXCB/a1Be3yznoRg=; b=oDEHbh4E3VsVKwBobYgepxhrCb/RU3ilTXabdVcDrdPiQK6fQqbPUldGQ2jY2vRVoi dl/KMHyne3W2dKR1Go9oZrtilGIVhC0bpDPzxlsqtp6bQreM5UHc70ERqvbmAvt7BaH0 EHGQ9l+6/gG5VjRJzeminFHA17xOnJnlrxoNQhoU04SjiEoxzy7NZMx9fCS4Jq+KanRN SE+TTrPk9lj4pQLisKHZOvX2aY0DGW0UW0jgv5fTmeLuFMRFDkJJQvykKqiU7TxvSz2p tpm3AThQMhfVMIGn1jp9lAApc56AEDLWP04gPKja3SelA7lp4ZyJjRbLb0aSUaYSkigY HM8g==
X-Gm-Message-State: AOAM5326Y46DBvO0Zz4mdAXICUf2oexmSodN8QjQVxYb88aQPhZ9vgxB /8+wJLriGipPwoz0aatwMgVhv8yiycWmVO0bH9nb
X-Google-Smtp-Source: ABdhPJxj5ezB0djLkOH0GO7gmj7mlf5lsXzm6ItiOUuuZYM23V3ipPjDv0t21hwyFKUw4NA3PneeOYfGYOjmmJMvF4I=
X-Received: by 2002:a5e:8817:: with SMTP id l23mr17032501ioj.41.1614122074422; Tue, 23 Feb 2021 15:14:34 -0800 (PST)
MIME-Version: 1.0
References: <37eecb9b-f0eb-e21c-b162-b1f0339e4981@si6networks.com> <3c2d646d-f18d-4d88-b458-29dbd486432b@beta.fastmail.com> <AM0PR08MB371669108E9CEA561BEC9EF6FA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <d6648437-332b-4668-a1c7-591f2c287539@dogfood.fastmail.com> <AM0PR08MB371608D64FF113417D8B3C2DFA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <98f539f4-1207-4a03-ae1f-f377d6964122@dogfood.fastmail.com> <CAJot-L2wyN0eQTHYeJVN0kg-7erKMWbtWwxf3+uHwYwLmUu7tQ@mail.gmail.com> <76e71db0-5cd5-4f95-8c44-9c476a1adb24@dogfood.fastmail.com> <CAJot-L2th=moqiRvKBw=-1AaVU15EicTQnx3PoajQoAc8kbZzw@mail.gmail.com> <CA+k3eCQNbNei2c4LSEbrxLo4H4xTEjd2cCy2KhZnEDbn-7xvpw@mail.gmail.com> <24452E46-B957-4C35-BAEC-BC2D75B25923@independentid.com> <50a62bd2-5a1c-481a-b58b-3f90ec703f88@dogfood.fastmail.com> <7cc82198-4eed-50d3-4de4-30dc0919cdcc@evertpot.com>
In-Reply-To: <7cc82198-4eed-50d3-4de4-30dc0919cdcc@evertpot.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 24 Feb 2021 00:14:23 +0100
Message-ID: <CAJot-L3wQFVvhT3=JiV51PWv6T2FE+gdLkFOO7xGTsrzhEwcJw@mail.gmail.com>
To: Evert Pot <me@evertpot.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ded4de05bc091406"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RBPHF_bHN9MEALdxi_6yHXGntOY>
Subject: Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 23:14:37 -0000

Okay, now I'm lost, what's the point of this discussion? Is there something
we are actively trying to achieve?

The email subject is *JMAP's experience with proposing an Authentication
model*, sometimes sharing experiences is helpful, but I still lack the goal
we are attempting to accomplish by doing that. Are we hoping to change
something in particular, if so, what exactly is that? Is it the culture of
the group, how the OAuth specs are written, the goal of the WG, or
something else?

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Tue, Feb 23, 2021 at 11:36 PM Evert Pot <me@evertpot.com> wrote:

>
> If every client and every server needs to implement "*all the popular
> mechanisms*" then that's not such a big deal when you're shipping the
> client code for your own server as part of a website, but it's a big deal
> if you're trying to create a general client and don't want to have to
> hard-code the specific magic for each server provider.
>
> So the reason to encode the authentication mechanism into JMAP was
> precisely to reduce the number of possibilities.
>
> I want to echo this as a something I also feel OAuth2 has failed at
> (thusfar). We used to be able to point our user-agent at an endpoint, get a
> WWW-Authenticate & 401, and the agent would be able to figure out how to
> log the user in. I can't point my browser to an OAuth2 protected endpoint
> and discover what an API offers.
>
> With OAuth2 we need a ton of out-of-band information. I think this is
> partially contributing to people not building generic HTTP clients, but
> SDKs for each service. To some extent I think it's breaking the web.
>
> I hope a future version of OAuth prioritizes server-driven oauth2
> configuration.
>
> Evert
>
> P.S.: I do appreciate all the work that has gone in OAuth2, and this
> specific criticism is not intended as an overall sentiment.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email