Re: [OAUTH-WG] Reason why no user identifier?
David Recordon <recordond@gmail.com> Sat, 11 September 2010 03:17 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B54A3A67E1 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 20:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyyU-T+Q6Dou for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 20:17:15 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 2FCE13A6781 for <oauth@ietf.org>; Fri, 10 Sep 2010 20:17:15 -0700 (PDT)
Received: by iwn3 with SMTP id 3so3343505iwn.31 for <oauth@ietf.org>; Fri, 10 Sep 2010 20:17:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=1VDw3OOtwqoAeisidDuoepdz11ZlmpoJGt51vdKWgqs=; b=esthYD0sb2YiWCn5X3ruftQBY3Irnj5AIwF5p0jckQcvMscd+8yPcEwGyHZ/uENbZC 4YtzfhDsE4UbiQsQxEq6Tm8ZBr5tvehTQv7wl3+UP7ulIn2DYqZSs8H/u6Tmsc5JpZJn bVUK9yVy8a8ra1zcbR93dtaZsXcWfzh6rM1Vk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PHTaHYqBOCmGW7iXfbiiOpN4qrW2d1LWwsH3Lw3Yko4LNmx+osmS8BNNb/yX+/tyvq hYjJYCv1Y2oUNVUFy+NTYpdTko6sPqlQc9bdJkiBpwBgPzMuzu02/xi37r8ZG9Z5z6TA m/C/e7n3n2+kIIU1HCkn02SdvKTIsYAuenDqI=
MIME-Version: 1.0
Received: by 10.231.15.203 with SMTP id l11mr1861750iba.182.1284175061974; Fri, 10 Sep 2010 20:17:41 -0700 (PDT)
Received: by 10.231.149.14 with HTTP; Fri, 10 Sep 2010 20:17:41 -0700 (PDT)
In-Reply-To: <AANLkTi=7S6T8-C5bJhs5cZF6ZekfgWV89ApsX8d_KdTc@mail.gmail.com>
References: <AANLkTimaXNz9tcjRuDULx07n72U20tXBc8pw6NuDS_vE@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A31564B50F5EE@SP2-EX07VS06.ds.corp.yahoo.com> <AANLkTi=7S6T8-C5bJhs5cZF6ZekfgWV89ApsX8d_KdTc@mail.gmail.com>
Date: Fri, 10 Sep 2010 20:17:41 -0700
Message-ID: <AANLkTikYrc79T9bvRrSnJrvK7E8S=gV=pZY9xBCxwPiJ@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Jim Pravetz <jdp@cayosystems.com>
Content-Type: multipart/alternative; boundary="002215046c8f66068e048ff34ef3"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Reason why no user identifier?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2010 03:17:18 -0000
Hey Jim, you should join the OpenID Connect work. We're layering decentralized identity on top of OAuth 2.0. - http://openidconnect.com/ - http://lists.openid.net/mailman/listinfo/openid-specs-connect On Fri, Sep 10, 2010 at 7:22 PM, Jim Pravetz <jdp@cayosystems.com> wrote: > Thanks for the explanation, William. > > Is there or should there be guidance in the spec for providing an > optional user handle for when the token issuer trusts the client with > this information? > > Regards, Jim > > On Fri, Sep 10, 2010 at 6:25 PM, William Mills <wmills@yahoo-inc.com> > wrote: > > There are use cases where the user does not wish to disclose anything > extra in the 3 legged case. For example, I am both a Yahoo and Facebook > user, and I want to allow events to be published on Facebook when I comment > on an article at Yahoo (there are many many of these kinds of pairings). I > don't want to tell Yahoo! my account name at Facebook, Yahoo gets a > credential to use with Facebook that discloses nothing about me other than I > am a Facebook user and I want Yahoo to use the updates API. > > > > Making a user identifier a requirement prevents these use cases. There > are other use cases where a site may want to provide a user handle separate > from the token that can be used as a primary key, but again is opague and > discloses nothing about the user. The token can be used to fetch user > information if the PR chooses to allow that. > > > >> -----Original Message----- > >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > >> Of Jim Pravetz > >> Sent: Friday, September 10, 2010 6:03 PM > >> To: oauth@ietf.org > >> Subject: [OAUTH-WG] Reason why no user identifier? > >> > >> I'm curious and would appreciate some background as to why there is no > >> user identifier associated with tokens (access, refresh, or > >> authorization code)? It seems so common to use identifiers, and > >> convenient, that this is a surprise. In contrast, the spec does define > >> a client identifier. > >> > >> In my use case I have a client (native application) that stores > >> records retrieved from a server, for one or more individuals (i.e. I > >> maintain credentials for multiple users). Without a user identifier, > >> it would seem that user identification would have to be retrieved from > >> data returned from the protected resource, and it seems plausible that > >> existing protocols might not have this capability. > >> > >> It would also seem more efficient to be able to determine if a user > >> already has a local (on client) credential without going through the > >> full process of getting an access token and retrieving a protected > >> resource. For instance, if a user initiates an enrollment process the > >> process could be stopped early if a token for a userid is already > >> possessed. > >> > >> I would think the protected resource server would also benefit from a > >> user identifier. At a minimum it would provide useful logging > >> information for failed login attempts, and perhaps could be used in > >> risk analysis. > >> > >> Apologies if this is an old topic or if I missed the explanation > >> somewhere. > >> > >> Regards, Jim > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? Jim Pravetz
- Re: [OAUTH-WG] Reason why no user identifier? William Mills
- Re: [OAUTH-WG] Reason why no user identifier? David Recordon