Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
Nat Sakimura <sakimura@gmail.com> Thu, 07 February 2013 01:49 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B61D21F8546 for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 17:49:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.466
X-Spam-Level:
X-Spam-Status: No, score=-1.466 tagged_above=-999 required=5 tests=[AWL=0.533, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_210=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7ViYSnpORWB for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 17:49:22 -0800 (PST)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 62A4821F8545 for <oauth@ietf.org>; Wed, 6 Feb 2013 17:49:21 -0800 (PST)
Received: by mail-la0-f54.google.com with SMTP id gw10so2033353lab.41 for <oauth@ietf.org>; Wed, 06 Feb 2013 17:49:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=jIxmrultPAQ09IV2MgIhEknkdZddU/nB1KcsrBI6Lr0=; b=0Q+8YbWRv6PVB5FX9YuMsnp9Qw6PDF29Vu9nbL9Ove+7/+OW83zmAJltfuR9CN3KvZ iWlse44hpdq95qqwPqIkn6YzqNEPrIF2AbQ1UVjEn39RfHJYdZCRLqcVNETv6lzj7atL IdKhC+MooVd/DoZv4LV80u6enU1klD21aCnbIaislrNMPZiDXefmf3HY8sB5CFo6y2Q9 RpitULqYTMv65WmyiK5RgAi4sSzcKUSW2Wly4Yx0y+UoEfpGotWj75QO+2Kuq0xdd7om 6So884ZIG5y9n9MjTKNVofX/LPfGG6hmpx7/u3EZB2Yw3vyd1vzj1P9+WmRnkss19bVW mQCg==
MIME-Version: 1.0
X-Received: by 10.152.133.52 with SMTP id oz20mr28586785lab.30.1360201759885; Wed, 06 Feb 2013 17:49:19 -0800 (PST)
Received: by 10.112.6.70 with HTTP; Wed, 6 Feb 2013 17:49:19 -0800 (PST)
In-Reply-To: <E52E0947-31AE-4F33-BE7E-4D3D6E8D2FFB@ve7jtb.com>
References: <CAJV9qO_J1-AhGB=XST0R-kwAd-9hjUbCJ4ieBPoE_OMe760mqg@mail.gmail.com> <73B7EC23-AA93-42EE-B3EB-35BA1B82558F@ve7jtb.com> <511175AA.9030301@gmail.com> <1360099372.47338.YahooMailNeo@web31807.mail.mud.yahoo.com> <CA+ZpN27GnnU6w5Dnth4zfsa+nMhi6Rsyqmq-tYOqG54+Sh-9ww@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A9483E7B3D@BY2PRD0411MB441.namprd04.prod.outlook.com> <1360111712.54487.YahooMailNeo@web31812.mail.mud.yahoo.com> <59E470B10C4630419ED717AC79FCF9A9483E7E50@BY2PRD0411MB441.namprd04.prod.outlook.com> <E52E0947-31AE-4F33-BE7E-4D3D6E8D2FFB@ve7jtb.com>
Date: Wed, 06 Feb 2013 18:49:19 -0700
Message-ID: <CABzCy2DN9UhRJ61+mdbs3ARLAeKv+Yfp6BmeAHAVDGYNauu+BA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="f46d0435c24cb888eb04d518a664"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 01:49:23 -0000
Lewis, Specifically, we have defined the following to the id_token. issREQUIRED. Issuer Identifier for the Issuer of the response.subREQUIRED. Subject identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client. e.g. 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length.audREQUIRED. Audience that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Client.azpOPTIONAL. Authorized Party. This member identifies an OAuth 2.0 client authorized to use this ID Token as an OAuth access token. This Claim is only needed when the Authorized Party is different than the Client that requested the ID Token. It MUST contain the client_id of the authorized party. This 'azp' is the new thing. I proposed it as 'reg' (after 'registered instrument/token) and Google is using 'cid' (client id) but it ended up 'azp' (authorized party, which I have a hard time remembering :-) So, if you want to use id_token to authenticate the client to a resource server, then you put the client_id (that the resource server understands) into azp, and the identifier of the resource server into aud. Best, Nat 2013/2/6 John Bradley <ve7jtb@ve7jtb.com> > Adam, > > We have made some changes in the latest draft to address some input from > Google that I think may also address your need to using the id_token in an > assertion or possibly as an access token to a federated RS. > > I can go over it with you if you like. > > John B. > > On 2013-02-06, at 9:05 AM, Lewis Adam-CAL022 < > Adam.Lewis@motorolasolutions.com> wrote: > > Hi Bill,**** > > My reason for using OAuth rather than OIDC is because the id_token in OIDC > is audience restricted to the client. This was clearly intended for WebSSO > / authentication to a client running on a web server. It does not help the > case where the user of a RESTful native client want to authenticate to a > RESTful web service. **** > > I agree that OAuth lacks a “defined” way to communicate what is in the AT > (as OAuth does not define the content of the AT), but within an enterprise > domain this is easy to solve by profiling. And in any implementation of > OAuth on the Internet, the AT must at some level identify the user to the > RS. Otherwise how else would the RS know who’s protected resources the > client is trying to access? Now whether the RS learns that through > introspection or by parsing a JWT-structured AT is of course not defined. > But at the end of the day, the AT definitely (in all cases that I can think > of) identifies the user. **** > > I am open minded to using OIDC if in the future if the client can request > an id_token that is audience restricted to the RS it is going to > communicate. In other words, yes I agree that OIDC is the preferred > mechanism for performing “user authentication to a client,” but I also > argue that OAuth is the best method to perform “user authentication to an > RS” (if you want to get your RS out of the password consumption business). > I am not at all advocating OAuth for authentication to a client. **** > > -adam**** > > *From:* William Mills [mailto:wmills_92105@yahoo.com] > *Sent:* Tuesday, February 05, 2013 6:49 PM > *To:* Lewis Adam-CAL022; Tim Bray > *Cc:* "WG <oauth@ietf.org>"@il06exr02.mot.com > *Subject:* Re: [OAUTH-WG] Why OAuth it self is not an authentication > framework ?**** > ** ** > Why use OAuth when OpenID does everything that OAuth can do as an > authentication method and does a few things much better?**** > > Specifically OAuth lacks any defined way to:**** > > - feed back any additional information like the real user ID (as > opposed to what the entered)**** > - bound an authentication event in time**** > - provide any form of additional SSO payload like a display name for > the user**** > > there's probably other things.**** > > It'll mostly work but there are things it doesn't do. Could you solve > some of the rest of this with token introspection or a user API that the RP > could use to fetch user info, sure, but why rebuild OpenID when OpenID > exists?**** > > -bill**** > > > ------------------------------ > *From:* Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> > *To:* Tim Bray <twbray@google.com>; William Mills <wmills_92105@yahoo.com> > > *Cc:* "oauth@ietf.org WG" <oauth@ietf.org> > *Sent:* Tuesday, February 5, 2013 2:27 PM > *Subject:* RE: [OAUTH-WG] Why OAuth it self is not an authentication > framework ?**** > > I think this is becoming a largely academic / philosophical argument by > this time. The people who designed OAuth will likely point out that it was > conceptualized as an authorization protocol to enable a RO to delegate > access to a client to access its protected resources on some RS. And of > course this is the history of it. And the RO and end-user were typically > the same entity. But get caught up in what it was envisioned to do vs. > real life use cases that OAuth can solve (and is solving) beyond its > initial use cases misses the point … because OAuth is gaining traction in > the enterprise and will be used in all different sorts of ways, including > authentication. **** > **** > This is especially true of RESTful APIs within an enterprise where the RO > and end-user are **not** the same: e.g. RO=enterprise and > end-user=employee. In this model the end-user is not authorizing anything > when their client requests a token from the AS … they authenticate to the > AS and the client gets an AT, which will likely be profiled by most > enterprise deployments to look something like an OIDC id_token. The AT > will be presented to the RS which will examine the claims (user identity, > LOA, etc.) and make authorization decisions based on business logic. The > AT has not authorized the user to do anything, it has only made an > assertion that the user has been authenticated by the AS (sort of sounds a > lot like an IdP now).**** > **** > All this talked of OAuth being authorization and not authentication was > extremely confusing to me when I first started looking at OAuth for my use > cases, and I think at some point the authors of OAuth are going to have to > recognize that their baby has grown up to be multi-faceted (and I mean this > as a complement). The abstractions left in the OAuth spec (while some have > claimed of the lack of interoperability it will cause) will also enable it > to be used in ways possibly still not envisioned by any of us. I think as > soon as we can stop trying to draw the artificial line around OAuth being > “an authorization protocol” the better things will be.**** > **** > I like to say that they authors had it right when they named it “OAuth” > and not “OAuthR” J**** > **** > -adam**** > **** > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Tim Bray > *Sent:* Tuesday, February 05, 2013 3:28 PM > *To:* William Mills > *Cc:* oauth@ietf.org WG > *Subject:* Re: [OAUTH-WG] Why OAuth it self is not an authentication > framework ?**** > **** > OIDC seems about the most plausible candidate for a “good general > solution” that I’m aware of. -T**** > On Tue, Feb 5, 2013 at 1:22 PM, William Mills <wmills_92105@yahoo.com> > wrote:**** > There are some specific design mis-matches for OAuth as an authentication > protocol, it's not what it's designed for and there are some problems you > will run into. Some have used it as such, but it's not a good general > solution.**** > **** > -bill**** > **** > ------------------------------ > *From:* Paul Madsen <paul.madsen@gmail.com> > *To:* John Bradley <ve7jtb@ve7jtb.com> > *Cc:* "oauth@ietf.org WG" <oauth@ietf.org> > *Sent:* Tuesday, February 5, 2013 1:12 PM > *Subject:* Re: [OAUTH-WG] Why OAuth it self is not an authentication > framework ?**** > **** > why pigeonhole it? > > OAuth can be deployed with no authz semantics at all (or at least as > little as any authn mechanism), e.g client creds grant type with no scopes > > I agree that OAuth is not an *SSO* protocol.**** > On 2/5/13 3:36 PM, John Bradley wrote:**** > > OAuth is an Authorization protocol as many of us have pointed out.**** > **** > The post is largely correct and based on one of mine.**** > **** > John B.**** > **** > On 2013-02-05, at 12:52 PM, Prabath Siriwardena <prabath@wso2.com> wrote:* > *** > **** > > FYI and for your comments..**** > **** > > http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html > **** > **** > Thanks & Regards, > Prabath**** > **** > Mobile : +94 71 809 6732 **** > http://blog.facilelogin.com/ > http://rampartfaq.com/**** > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth**** > > **** > **** > > _______________________________________________**** > > OAuth mailing list**** > > OAuth@ietf.org**** > > https://www.ietf.org/mailman/listinfo/oauth**** > > **** > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth**** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth**** > **** > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] Why OAuth it self is not an authentica… Prabath Siriwardena
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Justin Richer
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Paul Madsen
- Re: [OAUTH-WG] Why OAuth it self is not an authen… William Mills
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Tim Bray
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Lewis Adam-CAL022
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… William Mills
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Lewis Adam-CAL022
- Re: [OAUTH-WG] Why OAuth it self is not an authen… John Bradley
- Re: [OAUTH-WG] Why OAuth it self is not an authen… Nat Sakimura