Re: [OAUTH-WG] On the ease of writing an authorization server
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 15 June 2010 16:50 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A82943A6A40 for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 09:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.385
X-Spam-Level:
X-Spam-Status: No, score=-1.385 tagged_above=-999 required=5 tests=[AWL=-0.276, BAYES_05=-1.11, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLlvsvDHaoDG for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 09:50:28 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 0BECD3A6A2F for <oauth@ietf.org>; Tue, 15 Jun 2010 09:50:28 -0700 (PDT)
Received: (qmail 11852 invoked from network); 15 Jun 2010 16:50:32 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jun 2010 16:50:32 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 15 Jun 2010 09:50:19 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Andrew Arnott <andrewarnott@gmail.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Tue, 15 Jun 2010 09:50:25 -0700
Thread-Topic: [OAUTH-WG] On the ease of writing an authorization server
Thread-Index: AcsMnzGhGPgqP8nWS9y/f1h3cO7wAgAC3dWA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3EBB6A3D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <AANLkTimcxhzhOAiKTN8rZIJRw3LkNmRu5wYOa0HnVrsO@mail.gmail.com>
In-Reply-To: <AANLkTimcxhzhOAiKTN8rZIJRw3LkNmRu5wYOa0HnVrsO@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343B3EBB6A3DP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] On the ease of writing an authorization server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 16:50:32 -0000
If the current draft is too hard for server developers to implement correctly, they should probably hire someone more capable. Server side development of a security protocol isn't something I'd like to see done by people without the proper experience. Once we have the security consideration section, this will become even more complex. EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Andrew Arnott Sent: Tuesday, June 15, 2010 8:19 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] On the ease of writing an authorization server I've read a few comments on this DL that a primary goal is that writing an OAuth 2.0 client should be very easy. I think we're doing well here. I know this ease for the client necessarily comes at the expense of some complexity on the server. As has also been pointed out recently (by Eran, I believe) the AS' job is considerably more complex now than it was in OAuth 1.0. While overall this may be a win, it also seems optimized for the few large service providers that are driving the spec (Facebook, Twitter, etc.). They definitely have the resources and understanding that a large investment in security is important. But as more web sites across the Internet drop using user passwords in favor of federated identity and/or OpenID-type protocols, the only way these sites can delegate access to user data will be to use a protocol like OAuth 2.0 since user passwords will no longer apply. Therefore very many web sites will become OAuth 2.0 resource servers, and likely given their size and requirements will be their on authorization server as well. Now we have a complex server-side protocol that may be "too" complex for the average-sized web site to implement correctly and confidently. So my $0.02 here is that we try to keep the AS side simple as well where possible. And invite responses from others. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
- [OAUTH-WG] On the ease of writing an authorizatio… Andrew Arnott
- Re: [OAUTH-WG] On the ease of writing an authoriz… David Recordon
- Re: [OAUTH-WG] On the ease of writing an authoriz… Eran Hammer-Lahav
- Re: [OAUTH-WG] On the ease of writing an authoriz… Andrew Arnott