Re: [OAUTH-WG] Reason why no user identifier?
William Mills <wmills@yahoo-inc.com> Sat, 11 September 2010 01:25 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 712653A6834 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 18:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.375
X-Spam-Level:
X-Spam-Status: No, score=-17.375 tagged_above=-999 required=5 tests=[AWL=-0.111, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, NO_RDNS_DOTCOM_HELO=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZd7+4xAffrd for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 18:25:37 -0700 (PDT)
Received: from mrout1-b.corp.re1.yahoo.com (mrout1-b.corp.re1.yahoo.com [69.147.107.20]) by core3.amsl.com (Postfix) with ESMTP id 331833A67D9 for <oauth@ietf.org>; Fri, 10 Sep 2010 18:25:36 -0700 (PDT)
Received: from SP2-EX07CAS01.ds.corp.yahoo.com (sp2-ex07cas01.corp.sp2.yahoo.com [98.137.59.37]) by mrout1-b.corp.re1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o8B1PmNI041592; Fri, 10 Sep 2010 18:25:48 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:from:to:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator:acceptlanguage: content-type:content-transfer-encoding:mime-version; b=TDCfhoN+rowAQALVv8ZITvo3oYVFUnR+wdaMb3VoxEnwEWOmI9GUGbKudytJ+RS0
Received: from SP2-EX07VS06.ds.corp.yahoo.com ([98.137.59.24]) by SP2-EX07CAS01.ds.corp.yahoo.com ([98.137.59.37]) with mapi; Fri, 10 Sep 2010 18:25:48 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Jim Pravetz <jdp@cayosystems.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Fri, 10 Sep 2010 18:25:46 -0700
Thread-Topic: [OAUTH-WG] Reason why no user identifier?
Thread-Index: ActRTXTXP+xy+uVTTrSuf9HcDEXQsgAAdIgw
Message-ID: <FFDFD7371D517847AD71FBB08F9A31564B50F5EE@SP2-EX07VS06.ds.corp.yahoo.com>
References: <AANLkTimaXNz9tcjRuDULx07n72U20tXBc8pw6NuDS_vE@mail.gmail.com>
In-Reply-To: <AANLkTimaXNz9tcjRuDULx07n72U20tXBc8pw6NuDS_vE@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Reason why no user identifier?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2010 01:25:38 -0000
There are use cases where the user does not wish to disclose anything extra in the 3 legged case. For example, I am both a Yahoo and Facebook user, and I want to allow events to be published on Facebook when I comment on an article at Yahoo (there are many many of these kinds of pairings). I don't want to tell Yahoo! my account name at Facebook, Yahoo gets a credential to use with Facebook that discloses nothing about me other than I am a Facebook user and I want Yahoo to use the updates API. Making a user identifier a requirement prevents these use cases. There are other use cases where a site may want to provide a user handle separate from the token that can be used as a primary key, but again is opague and discloses nothing about the user. The token can be used to fetch user information if the PR chooses to allow that. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Jim Pravetz > Sent: Friday, September 10, 2010 6:03 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] Reason why no user identifier? > > I'm curious and would appreciate some background as to why there is no > user identifier associated with tokens (access, refresh, or > authorization code)? It seems so common to use identifiers, and > convenient, that this is a surprise. In contrast, the spec does define > a client identifier. > > In my use case I have a client (native application) that stores > records retrieved from a server, for one or more individuals (i.e. I > maintain credentials for multiple users). Without a user identifier, > it would seem that user identification would have to be retrieved from > data returned from the protected resource, and it seems plausible that > existing protocols might not have this capability. > > It would also seem more efficient to be able to determine if a user > already has a local (on client) credential without going through the > full process of getting an access token and retrieving a protected > resource. For instance, if a user initiates an enrollment process the > process could be stopped early if a token for a userid is already > possessed. > > I would think the protected resource server would also benefit from a > user identifier. At a minimum it would provide useful logging > information for failed login attempts, and perhaps could be used in > risk analysis. > > Apologies if this is an old topic or if I missed the explanation > somewhere. > > Regards, Jim > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? David Recordon