Re: [OAUTH-WG] Reason why no user identifier?
Jim Pravetz <jdp@cayosystems.com> Sat, 11 September 2010 02:22 UTC
Return-Path: <jpravetz@cayosystems.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D05623A68A5 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 19:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMSpSQEBCa-O for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 19:22:27 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id D043B3A687E for <oauth@ietf.org>; Fri, 10 Sep 2010 19:22:27 -0700 (PDT)
Received: by iwn3 with SMTP id 3so3299107iwn.31 for <oauth@ietf.org>; Fri, 10 Sep 2010 19:22:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.183.200 with SMTP id ch8mr1934739ibb.124.1284171774620; Fri, 10 Sep 2010 19:22:54 -0700 (PDT)
Sender: jpravetz@cayosystems.com
Received: by 10.231.158.83 with HTTP; Fri, 10 Sep 2010 19:22:54 -0700 (PDT)
X-Originating-IP: [76.126.245.192]
In-Reply-To: <FFDFD7371D517847AD71FBB08F9A31564B50F5EE@SP2-EX07VS06.ds.corp.yahoo.com>
References: <AANLkTimaXNz9tcjRuDULx07n72U20tXBc8pw6NuDS_vE@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A31564B50F5EE@SP2-EX07VS06.ds.corp.yahoo.com>
Date: Fri, 10 Sep 2010 19:22:54 -0700
X-Google-Sender-Auth: HVhOW1EQsw0oGqsl7Ux3uuDEln0
Message-ID: <AANLkTi=7S6T8-C5bJhs5cZF6ZekfgWV89ApsX8d_KdTc@mail.gmail.com>
From: Jim Pravetz <jdp@cayosystems.com>
To: William Mills <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Reason why no user identifier?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2010 02:22:28 -0000
Thanks for the explanation, William. Is there or should there be guidance in the spec for providing an optional user handle for when the token issuer trusts the client with this information? Regards, Jim On Fri, Sep 10, 2010 at 6:25 PM, William Mills <wmills@yahoo-inc.com> wrote: > There are use cases where the user does not wish to disclose anything extra in the 3 legged case. For example, I am both a Yahoo and Facebook user, and I want to allow events to be published on Facebook when I comment on an article at Yahoo (there are many many of these kinds of pairings). I don't want to tell Yahoo! my account name at Facebook, Yahoo gets a credential to use with Facebook that discloses nothing about me other than I am a Facebook user and I want Yahoo to use the updates API. > > Making a user identifier a requirement prevents these use cases. There are other use cases where a site may want to provide a user handle separate from the token that can be used as a primary key, but again is opague and discloses nothing about the user. The token can be used to fetch user information if the PR chooses to allow that. > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Jim Pravetz >> Sent: Friday, September 10, 2010 6:03 PM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Reason why no user identifier? >> >> I'm curious and would appreciate some background as to why there is no >> user identifier associated with tokens (access, refresh, or >> authorization code)? It seems so common to use identifiers, and >> convenient, that this is a surprise. In contrast, the spec does define >> a client identifier. >> >> In my use case I have a client (native application) that stores >> records retrieved from a server, for one or more individuals (i.e. I >> maintain credentials for multiple users). Without a user identifier, >> it would seem that user identification would have to be retrieved from >> data returned from the protected resource, and it seems plausible that >> existing protocols might not have this capability. >> >> It would also seem more efficient to be able to determine if a user >> already has a local (on client) credential without going through the >> full process of getting an access token and retrieving a protected >> resource. For instance, if a user initiates an enrollment process the >> process could be stopped early if a token for a userid is already >> possessed. >> >> I would think the protected resource server would also benefit from a >> user identifier. At a minimum it would provide useful logging >> information for failed login attempts, and perhaps could be used in >> risk analysis. >> >> Apologies if this is an old topic or if I missed the explanation >> somewhere. >> >> Regards, Jim >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? David Recordon