Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model
Warren Parad <wparad@rhosys.ch> Tue, 23 February 2021 23:14 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EA8A3A0FCA for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 15:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTt1IxYRyqOl for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 15:14:35 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C9FE3A0FC7 for <oauth@ietf.org>; Tue, 23 Feb 2021 15:14:35 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id f6so14078iop.11 for <oauth@ietf.org>; Tue, 23 Feb 2021 15:14:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WImEiMAangfyWPqGBxCL3R4QAySpXCB/a1Be3yznoRg=; b=dI07HrrgqBDr5yBEBVFP+6rDYHfkf6LOm0GeetiKsYtzQfepe3Whf9TZGOhPrQd4XU mFNFi6WcTfD/xDm1pZCpjKEaMR72hTxHpiigyAeCqNCCarMnNqLXA41vJ1iJzUFp8DDf kDdolPHJ8RXCFJUW0NSETJ479Oq+9Zk1yT4iVbaT20oJ2c9/A9ihUGvEVWAMY7i9YAwC UyJ3F5UwjNoqwXDMZCL3U//aD76mLu264lwdcfuFZdRDDk3/re4GrkcJ2slBEFQkl5Ch LDmqMvF8b/rToy4Z67sqlMsfDm5j9eCXZrG6xaH/I/5S28/xWA8FZY4h9mFAEwqrTZig KOVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WImEiMAangfyWPqGBxCL3R4QAySpXCB/a1Be3yznoRg=; b=oDEHbh4E3VsVKwBobYgepxhrCb/RU3ilTXabdVcDrdPiQK6fQqbPUldGQ2jY2vRVoi dl/KMHyne3W2dKR1Go9oZrtilGIVhC0bpDPzxlsqtp6bQreM5UHc70ERqvbmAvt7BaH0 EHGQ9l+6/gG5VjRJzeminFHA17xOnJnlrxoNQhoU04SjiEoxzy7NZMx9fCS4Jq+KanRN SE+TTrPk9lj4pQLisKHZOvX2aY0DGW0UW0jgv5fTmeLuFMRFDkJJQvykKqiU7TxvSz2p tpm3AThQMhfVMIGn1jp9lAApc56AEDLWP04gPKja3SelA7lp4ZyJjRbLb0aSUaYSkigY HM8g==
X-Gm-Message-State: AOAM5326Y46DBvO0Zz4mdAXICUf2oexmSodN8QjQVxYb88aQPhZ9vgxB /8+wJLriGipPwoz0aatwMgVhv8yiycWmVO0bH9nb
X-Google-Smtp-Source: ABdhPJxj5ezB0djLkOH0GO7gmj7mlf5lsXzm6ItiOUuuZYM23V3ipPjDv0t21hwyFKUw4NA3PneeOYfGYOjmmJMvF4I=
X-Received: by 2002:a5e:8817:: with SMTP id l23mr17032501ioj.41.1614122074422; Tue, 23 Feb 2021 15:14:34 -0800 (PST)
MIME-Version: 1.0
References: <37eecb9b-f0eb-e21c-b162-b1f0339e4981@si6networks.com> <3c2d646d-f18d-4d88-b458-29dbd486432b@beta.fastmail.com> <AM0PR08MB371669108E9CEA561BEC9EF6FA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <d6648437-332b-4668-a1c7-591f2c287539@dogfood.fastmail.com> <AM0PR08MB371608D64FF113417D8B3C2DFA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <98f539f4-1207-4a03-ae1f-f377d6964122@dogfood.fastmail.com> <CAJot-L2wyN0eQTHYeJVN0kg-7erKMWbtWwxf3+uHwYwLmUu7tQ@mail.gmail.com> <76e71db0-5cd5-4f95-8c44-9c476a1adb24@dogfood.fastmail.com> <CAJot-L2th=moqiRvKBw=-1AaVU15EicTQnx3PoajQoAc8kbZzw@mail.gmail.com> <CA+k3eCQNbNei2c4LSEbrxLo4H4xTEjd2cCy2KhZnEDbn-7xvpw@mail.gmail.com> <24452E46-B957-4C35-BAEC-BC2D75B25923@independentid.com> <50a62bd2-5a1c-481a-b58b-3f90ec703f88@dogfood.fastmail.com> <7cc82198-4eed-50d3-4de4-30dc0919cdcc@evertpot.com>
In-Reply-To: <7cc82198-4eed-50d3-4de4-30dc0919cdcc@evertpot.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 24 Feb 2021 00:14:23 +0100
Message-ID: <CAJot-L3wQFVvhT3=JiV51PWv6T2FE+gdLkFOO7xGTsrzhEwcJw@mail.gmail.com>
To: Evert Pot <me@evertpot.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ded4de05bc091406"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RBPHF_bHN9MEALdxi_6yHXGntOY>
Subject: Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 23:14:37 -0000
Okay, now I'm lost, what's the point of this discussion? Is there something we are actively trying to achieve? The email subject is *JMAP's experience with proposing an Authentication model*, sometimes sharing experiences is helpful, but I still lack the goal we are attempting to accomplish by doing that. Are we hoping to change something in particular, if so, what exactly is that? Is it the culture of the group, how the OAuth specs are written, the goal of the WG, or something else? Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Tue, Feb 23, 2021 at 11:36 PM Evert Pot <me@evertpot.com> wrote: > > If every client and every server needs to implement "*all the popular > mechanisms*" then that's not such a big deal when you're shipping the > client code for your own server as part of a website, but it's a big deal > if you're trying to create a general client and don't want to have to > hard-code the specific magic for each server provider. > > So the reason to encode the authentication mechanism into JMAP was > precisely to reduce the number of possibilities. > > I want to echo this as a something I also feel OAuth2 has failed at > (thusfar). We used to be able to point our user-agent at an endpoint, get a > WWW-Authenticate & 401, and the agent would be able to figure out how to > log the user in. I can't point my browser to an OAuth2 protected endpoint > and discover what an API offers. > > With OAuth2 we need a ton of out-of-band information. I think this is > partially contributing to people not building generic HTTP clients, but > SDKs for each service. To some extent I think it's breaking the web. > > I hope a future version of OAuth prioritizes server-driven oauth2 > configuration. > > Evert > > P.S.: I do appreciate all the work that has gone in OAuth2, and this > specific criticism is not intended as an overall sentiment. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola