Re: [OAUTH-WG] third party applications

Jim Manico <jim@manicode.com> Fri, 28 August 2020 16:00 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D35A83A0CEF for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 09:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3CceJjGZRAu for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 08:59:59 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A5853A0CFA for <oauth@ietf.org>; Fri, 28 Aug 2020 08:59:58 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id q3so684440pls.11 for <oauth@ietf.org>; Fri, 28 Aug 2020 08:59:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=/AEx9IGkYJTP06RUxo3whltAusIbVTNy9nQCdwbMdj0=; b=g6cpZZRlBK6jSEN9b6bWj5L/Bf47u/gOAY3voXIt+zD3p0wHkmp+bamlOXHJ/0T2FX +xtFTsNQ3RQj5xiD+PpdqdqiRNkQ3CmDbYTG0Lm3Ek9mkgkVdJVQfEZTYBEN6pgUsAg1 jU2mPbt6l2GtpJ6rVnH4kIUgtRE3ZqJDSFf3kCdRs59UyeWKPmZZw891ncqBh6J/U94E sei4gg18GxzqNnIgeS9O/o+nAF2Ze44AN+czfbefoCr4S22xhBacpCjeUPfXKN72T/vl cagKxrkP4SSzYP36J32JqBc/LG7lvh2ByI/YXce5nHhyw11dmgk4NWoUGwX9bNTto6bt +svQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=/AEx9IGkYJTP06RUxo3whltAusIbVTNy9nQCdwbMdj0=; b=lkPwSAQfk6iZ14QbsDlWWuqoWAi8jkcWvOLMJkehpOSfINqxlsnucI923EAiYqYEmO NgKb8wCwD52GKSf/ky9eMQd9Zq/W2/3Kwt70Q/WXy6BbgRAqaZQAZzwGnF1qQF10Kz0x uA4l7wTpQCcVpC2xT+jGZffxairFusxdmBfSBrcM5ya9XU+Zq4VEFkxPdzOlGrXyF1WE OT2GedEG8mrLMPsWxngDLkPGPz/uaRMwM7YUN9Fgy5ErOsX5uCnfuFov4fSH+O8Pl3oK W5YuTNqdu2A6H6udUD50qH2kur7IjGn2dl6EU6N2oEEEHookatlOrFtgyl8vkCLqwPnw 0jVg==
X-Gm-Message-State: AOAM532a8otS0cEUmCuUn2OXnf8T+cZdN0iMi/Jo/HImH8Yz7rL3seij JFsMYH3vcy64oS1sWokftA5sKU4q+bDB/i6L
X-Google-Smtp-Source: ABdhPJxmIiPVK3WbUbJ2iFspt5xkAEm300cTYDez7+JB6UoyHxvyHasTqC+gTzufEIrheL2Is04XNQ==
X-Received: by 2002:a17:90a:6881:: with SMTP id a1mr1875229pjd.208.1598630394774; Fri, 28 Aug 2020 08:59:54 -0700 (PDT)
Received: from ?IPv6:2605:e000:112c:15:28d3:5ef7:8c7b:7aac? ([2605:e000:112c:15:28d3:5ef7:8c7b:7aac]) by smtp.gmail.com with ESMTPSA id 37sm1736640pjo.8.2020.08.28.08.59.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Aug 2020 08:59:53 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Jim Manico <jim@manicode.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 28 Aug 2020 05:59:52 -1000
Message-Id: <8507D885-1006-4BAC-8365-93FC93C91437@manicode.com>
References: <CC3CDA85-7060-46FA-9C54-BE5E43CC2467@lodderstedt.net>
Cc: Dick Hardt <dick.hardt@gmail.com>, oauth <oauth@ietf.org>
In-Reply-To: <CC3CDA85-7060-46FA-9C54-BE5E43CC2467@lodderstedt.net>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
X-Mailer: iPhone Mail (17G80)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hqfmZqk2V7LsXwPbHxuCcsjeJ5w>
Subject: Re: [OAUTH-WG] third party applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 16:00:01 -0000

It does not make sense to use OAuth in most single party situations. These single-party OAuth use cases are frequently a complete misuse of the framework. I +1 the language “3rd party” in an effort to steer implementors in the right direction.

--
Jim Manico
@Manicode


> On Aug 28, 2020, at 5:07 AM, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> 
> 
>> On 28. Aug 2020, at 16:56, Dick Hardt <dick.hardt@gmail.com> wrote:
>> 
>> Well, OAuth is not very useful in a monolithic application. No need for an interoperable protocol for that kind of application.
> 
> I don’t know why we need to make any assumptions about the application that uses OAuth. A lot of assumptions might turn out to be wrong. So if me make assumptions they must be relevant for the protocol design. 
> 
> So again, why is “independent” or “third-party” relevant for the protocol design? 
> 
>> 
>> And in separating functions, you are creating separate trust domains. Yes, it is still all internal, but it enables a separation of concerns.
>> ᐧ
>> 
>> On Fri, Aug 28, 2020 at 7:49 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> In my experience OAuth is used in 1st party scenarios as means to separate functions (e.g. central user management vs. different products) within the same trust domain thus enabling architectural flexibility. 
>> 
>> I would just remove any constraint on the kind of applications OAuth can be used for. I don’t see how this governs the protocol design.  
>> 
>>>> On 28. Aug 2020, at 15:29, Dick Hardt <dick.hardt@gmail.com> wrote:
>>> 
>>> The driver in my opinion for first-party use of OAuth is to separate the trust domains so that the application is scoped in what it can do vs an application that has full access to all resources. I agree that third-party can indicate that internal use does not apply. How about the following?
>>> 
>>>   The OAuth 2.1 authorization framework enables an independent
>>>   application to obtain limited access to an HTTP service, either on
>>>   behalf of a resource owner by orchestrating an approval interaction
>>>   between the resource owner and the HTTP service, or by allowing the
>>>   application to obtain access on its own behalf.  This
>>>   specification replaces and obsoletes the OAuth 2.0 Authorization
>>>   Framework described in RFC 6749.
>>> ᐧ
>>> 
>>>> On Fri, Aug 28, 2020 at 3:02 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>> I agree. OAuth works for 3rd as well as 1st parties as well. 
>>> 
>>>> On 28. Aug 2020, at 05:26, Dima Postnikov <dima@postnikov.net> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> Can "third-party" term be removed from the specification?
>>>> 
>>>> The standard and associated best practices apply to other applications that act on behalf of a resource owner, too (internal, "first-party" and etc).
>>>> 
>>>> Regards,
>>>> 
>>>> Dima
>>>> 
>>>> The OAuth 2.1 authorization framework enables a third-party
>>>> 
>>>>   application to obtain limited access to an HTTP service, either on
>>>>   behalf of a resource owner by orchestrating an approval interaction
>>>>   between the resource owner and the HTTP service, or by allowing the
>>>>   third-party application to obtain access on its own behalf.  This
>>>>   specification replaces and obsoletes the OAuth 2.0 Authorization
>>>>   Framework described in 
>>>> RFC 6749.
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth