Re: [OAUTH-WG] Report an authentication issue

Justin Richer <> Wed, 20 June 2012 19:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5357621F87D7 for <>; Wed, 20 Jun 2012 12:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.478
X-Spam-Status: No, score=-6.478 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zAnLruBmPCWM for <>; Wed, 20 Jun 2012 12:10:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7F9DC21F87D4 for <>; Wed, 20 Jun 2012 12:10:56 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 78F1521B15CC for <>; Wed, 20 Jun 2012 15:10:51 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG ( []) by (Postfix) with ESMTP id 6018A21B15A2 for <>; Wed, 20 Jun 2012 15:10:51 -0400 (EDT)
Received: from [] ( by IMCCAS02.MITRE.ORG ( with Microsoft SMTP Server (TLS) id; Wed, 20 Jun 2012 15:10:50 -0400
Message-ID: <>
Date: Wed, 20 Jun 2012 15:10:32 -0400
From: Justin Richer <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------000104000507040301020002"
X-Originating-IP: []
Subject: Re: [OAUTH-WG] Report an authentication issue
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jun 2012 19:10:58 -0000

> 3)If I wanted to use OAuth, the client would send an authorization 
> request to the server's AS, which would authenticate the user of the 
> client, and ultimately result in the client possessing an 
> access-token.  My thinking is that this access token (let's assume 
> it's a JWT) would contain the user's identity, a statement of what 
> type of primary authentication was used (auth context), an expiration, 
> and an audience claim.  This sounds a lot like authentication to me, 
> and it's where I get confused.  Is it just because OAuth does not 
> explicitly define this?  Is there a threat in using OAuth as I describe?

You've hit on it here -- you're using OAuth *plus* a few other bits to 
accomplish this. Using a JWT lets you do things like signed tokens and 
audience restriction so that clients won't just take *any* token.

> 4)If I wanted to use Connect, well I'm not even sure how the id_token 
> as defined by Connect helps this use case.  The id_token seems to make 
> sense when the client is a confidential web server, but it's not clear 
> what an iPhone app would do with the id_token ... it's the server in 
> the backend that needs to authenticate the user, the iPhone app is 
> just an interface to talk to the server.  And it seems as I learn more 
> about connect that the id_token is not meant to be sent from the 
> iPhone app to the server, just the access token.  So it's really not 
> clear how Connect helps solve authentication for an iPhone client app 
> talking to a video server.  If I'm sending access-tokens, it's just 
> OAuth again.

Connect adds a few things on top of OAuth to make authentication 
possible, and one of these is the id_token. But what you're really after 
in your scenario isn't authentication at the RS per se -- it's 
authorization for accessing it.

  -- Justin