Re: [OAUTH-WG] third party applications
Aaron Parecki <aaron@parecki.com> Fri, 28 August 2020 16:37 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E30813A0DEE for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 09:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaRJaKKUKjsq for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 09:37:14 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E74943A0DF3 for <oauth@ietf.org>; Fri, 28 Aug 2020 09:37:13 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id m23so1994271iol.8 for <oauth@ietf.org>; Fri, 28 Aug 2020 09:37:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OPUa6miKlADczBljYH0AuLO9DVDzGNMLMXRTpAyG+ps=; b=S5h/0qxeVzu9HG5PVRZaH6WQ03a4KKGBKxe+ahDE5MOTkgY/uBLeunjAa6/1i8udaK CAKAtruRWWlFyf7Fij+mov+CYQVLZOiuVlokkEUCEN7loHYwwaaNA97XhlQX1wdJCeNd OBKhDMZG8Wev9RozFPAcdpY4yi3v+xz/tlvPsDazNq4ox0YYZRX3W19jCyoMlfL/b2Y7 hXSW/DuplE2Q2PWwg84++0J5xeiK/Vjt0oeuZ1bfAKyBAqzAjdMSah+aeRMwl/1LtmHU lAbIOVvbqk/69JfNcbIbql2cPGCTrJK8IStSRBc7vQ/2XUsgA/uFrVNL37UNKHuMhJ+A LpSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OPUa6miKlADczBljYH0AuLO9DVDzGNMLMXRTpAyG+ps=; b=XRkHrtx3FX98FGwCHNaKEbAzDeNhMwV+Jln/TDIksNXFyt0TCgMzlWK012faoLPWfe 2PrwyB6rnjeAwtUEcGr5GiBAABBV4TwX/6o75ZeaTOJrKXpuAmL+uo96aI11Nt1R6/uE RTMcIVd72cGs2Iph4/X3/cdRFsBCm1mviuz0ckSU7A5yI4/RMDVQCVohY73O7nXSLOLG 66N9GWWDNZj7Z6kx+X+ILjq/jXsHMUYZUtROa75KLKXAC/J3H+TYn1OxMFSac9rddror Ty9hgd8qlIDzpt/OtAuY0es3AYaq8NsM9/hhNH5wd6HOjH+M3wBoBBnxLO8+r7TgEMtd D+CQ==
X-Gm-Message-State: AOAM531pbHtx52sHLccQetiAbudTJAjhXVP+nAAWA4gHHgBZXSobDcaa 0wemVTnwOz3k4XgEoM13Xaazgu6cXuplvQ==
X-Google-Smtp-Source: ABdhPJxTmTUzXUQNFqTMkWoBsydkj+gHAEUJEk1pH7sKFXhwSPOs3P7AtMzWyUrwZ8YQBAPvVyhfHg==
X-Received: by 2002:a05:6638:621:: with SMTP id h1mr1977883jar.143.1598632632478; Fri, 28 Aug 2020 09:37:12 -0700 (PDT)
Received: from mail-il1-f172.google.com (mail-il1-f172.google.com. [209.85.166.172]) by smtp.gmail.com with ESMTPSA id z72sm786516iof.29.2020.08.28.09.37.10 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Aug 2020 09:37:11 -0700 (PDT)
Received: by mail-il1-f172.google.com with SMTP id t4so1218405iln.1 for <oauth@ietf.org>; Fri, 28 Aug 2020 09:37:10 -0700 (PDT)
X-Received: by 2002:a92:9986:: with SMTP id t6mr1347615ilk.28.1598632630617; Fri, 28 Aug 2020 09:37:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAEMK1uY0cSOyyU2t0N9RTOzmMeEpfMsb7K9WfQD=fQdCde9jTQ@mail.gmail.com> <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net>
In-Reply-To: <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net>
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 28 Aug 2020 09:36:59 -0700
X-Gmail-Original-Message-ID: <CAGBSGjoKfR1DpQ47oDPi8xqt_Bq54ywpTvZkH9uJwHRZkDbf-A@mail.gmail.com>
Message-ID: <CAGBSGjoKfR1DpQ47oDPi8xqt_Bq54ywpTvZkH9uJwHRZkDbf-A@mail.gmail.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Cc: Dima Postnikov <dima@postnikov.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000130f8905adf2aa3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UiVyerleXPUJ1QRxcpeYWJ2QzXY>
Subject: Re: [OAUTH-WG] third party applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 16:37:17 -0000
I agree. While the original motivations for OAuth were to support third-party apps, it's proven to be useful in many other kinds of situations as well, even when it's a "first-party" app but the OAuth server is operated by a different organization than the APIs. I don't think the abstract needs any qualification on this and would only confuse people further. Any clarifications of which situations are appropriate for using OAuth could be explored in a different section in the spec. Aaron Parecki On Fri, Aug 28, 2020 at 3:02 AM Torsten Lodderstedt <torsten= 40lodderstedt.net@dmarc.ietf.org> wrote: > I agree. OAuth works for 3rd as well as 1st parties as well. > > > On 28. Aug 2020, at 05:26, Dima Postnikov <dima@postnikov.net> wrote: > > > > Hi, > > > > Can "third-party" term be removed from the specification? > > > > The standard and associated best practices apply to other applications > that act on behalf of a resource owner, too (internal, "first-party" and > etc). > > > > Regards, > > > > Dima > > > > The OAuth 2.1 authorization framework enables a third-party > > > > application to obtain limited access to an HTTP service, either on > > behalf of a resource owner by orchestrating an approval interaction > > between the resource owner and the HTTP service, or by allowing the > > third-party application to obtain access on its own behalf. This > > specification replaces and obsoletes the OAuth 2.0 Authorization > > Framework described in > > RFC 6749. > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] third party applications Dima Postnikov
- Re: [OAUTH-WG] third party applications Torsten Lodderstedt
- Re: [OAUTH-WG] third party applications Dick Hardt
- Re: [OAUTH-WG] third party applications Torsten Lodderstedt
- Re: [OAUTH-WG] third party applications Dick Hardt
- Re: [OAUTH-WG] third party applications Torsten Lodderstedt
- Re: [OAUTH-WG] third party applications Jim Manico
- Re: [OAUTH-WG] third party applications Jeff Craig
- Re: [OAUTH-WG] third party applications Aaron Parecki
- Re: [OAUTH-WG] third party applications Dima Postnikov
- Re: [OAUTH-WG] third party applications Denis
- Re: [OAUTH-WG] third party applications Dima Postnikov
- Re: [OAUTH-WG] third party applications William Denniss
- Re: [OAUTH-WG] third party applications Torsten Lodderstedt
- Re: [OAUTH-WG] third party applications Jeff Craig
- Re: [OAUTH-WG] third party applications Dima Postnikov