IETF Logo Mail Archive

Re: [OAUTH-WG] third party applications

Dick Hardt <dick.hardt@gmail.com> Fri, 28 August 2020 13:29 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E22863A02BE for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 06:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLWOwwQ0vDua for <oauth@ietfa.amsl.com>; Fri, 28 Aug 2020 06:29:44 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A91D3A0128 for <oauth@ietf.org>; Fri, 28 Aug 2020 06:29:44 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id z17so325882lfi.12 for <oauth@ietf.org>; Fri, 28 Aug 2020 06:29:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9R3qvcTRTtXsrAXvFgCen6nGwd0uWUFMTiVdcqa1Dhk=; b=IQVftAOahGNU0k0wIas6bvkZnuPgTc71DnKR7sYyJ28UgIMmbwDoyhHSnS6ZuwTO/n xIoyFqHr9zCMqkO6IiQrLrEfHadXINrxWvX98/6uyz3wb5mcUhxO6WrBNlEXfb1k5Gwu UUVjSdBDrs7OSmuwTH0vcPl8tLoEKjWE2qdyHB/+cT9GxG7y+uZI911tRsCV7gMPPIDK EVx4y/MnBEIFT6820xdtGjuD+xdc/GzzIIC7VIigMlukE9HUSzfyNchZ6xdgJ1Ar2K66 R4okWeYuy2iuhnWW39qsQUQWMJOxWJoKgBtwjQOz1HRI16tfTk4bIgK1XDJg8DARqwBX LhlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9R3qvcTRTtXsrAXvFgCen6nGwd0uWUFMTiVdcqa1Dhk=; b=RkzvrIhZzpTAwAMMVJ7E0jIU6Er1HSKyJmOrxRzvHJZs6JCho9bUmBd9y5SQHJNN7A CczHEz/BYa+Z4Yronjesl21l/hGf04cnmuLoddqAJxr4x+FKPE7VSlDVjvOESTURlBbT iTUDQaJQKsUdcrm8VpLLXmK7Q2E0/YeALEpvj4l2HeuR6RrJy7Yvmg+DBtWWTONand07 YzOImyqDnkarQBkUsvEs6b5jzCCGkpaQ1eZfZJAFlGPMJo8At9Z5WiwR2pVTi6ZrZ3Tb TYFrey0fgeBWjxriqq0isMvROEcYLXArKggPLDtNv6B7luimBg1hPpQDjof0EbqFuuvQ +1hQ==
X-Gm-Message-State: AOAM533eF6zegOIoCCGnoDNetz9BVa47YEf61E4t3k+xWzSb3DizqVr8 jKtz6lWK7Xnnd6CxszxZpsIby5HFMwsu2+sAAZc=
X-Google-Smtp-Source: ABdhPJwpU4Xn9VTsJOSqFcLtxeX6v0uKdKzwV6IU9AoLfBNMv3zGEi5Rg5zO4KN28O+LJbVPY2XtVRhIpm9k143a3R0=
X-Received: by 2002:a19:942:: with SMTP id 63mr812858lfj.23.1598621382376; Fri, 28 Aug 2020 06:29:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAEMK1uY0cSOyyU2t0N9RTOzmMeEpfMsb7K9WfQD=fQdCde9jTQ@mail.gmail.com> <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net>
In-Reply-To: <B2AA5092-32BD-499D-9EAF-09AB95E6E9B6@lodderstedt.net>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 28 Aug 2020 06:29:05 -0700
Message-ID: <CAD9ie-sRNyRd3TX2_9-MaW3R+Swgp2Lg0uyXoBwu5rGw8Jphfg@mail.gmail.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Cc: Dima Postnikov <dima@postnikov.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0815705adf00b11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zXpJBOUxi3k02y3dhXrthyR4zI8>
Subject: Re: [OAUTH-WG] third party applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 13:29:47 -0000

The driver in my opinion for first-party use of OAuth is to separate the
trust domains so that the application is scoped in what it can do vs an
application that has full access to all resources. I agree that third-party
can indicate that internal use does not apply. How about the following?

   The OAuth 2.1 authorization framework enables an *independent*
   application to obtain limited access to an HTTP service, either on
   behalf of a resource owner by orchestrating an approval interaction
   between the resource owner and the HTTP service, or by allowing the
   application to obtain access on its own behalf.  This
   specification replaces and obsoletes the OAuth 2.0 Authorization
   Framework described in RFC 6749.
ᐧ

On Fri, Aug 28, 2020 at 3:02 AM Torsten Lodderstedt <torsten=
40lodderstedt.net@dmarc.ietf.org> wrote:

> I agree. OAuth works for 3rd as well as 1st parties as well.
>
> > On 28. Aug 2020, at 05:26, Dima Postnikov <dima@postnikov.net> wrote:
> >
> > Hi,
> >
> > Can "third-party" term be removed from the specification?
> >
> > The standard and associated best practices apply to other applications
> that act on behalf of a resource owner, too (internal, "first-party" and
> etc).
> >
> > Regards,
> >
> > Dima
> >
> > The OAuth 2.1 authorization framework enables a third-party
> >
> >    application to obtain limited access to an HTTP service, either on
> >    behalf of a resource owner by orchestrating an approval interaction
> >    between the resource owner and the HTTP service, or by allowing the
> >    third-party application to obtain access on its own behalf.  This
> >    specification replaces and obsoletes the OAuth 2.0 Authorization
> >    Framework described in
> > RFC 6749.
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email