For me it boils down to this:
OAuth deals with Authorization.
Authentication needs to be outside its realm - whether it is OIDC, SAML
or other protocols, it is fine.
The security community has just muddled up things for end users,
implementors and adopters.
We need to start having clear cut separation in the standards.
On 06/13/2014 11:24 AM, Prateek Mishra wrote:
Excellent, now you have put your finger on the precise issue with OIDC
- lots of optional extensions and shiny trinkets and lack of a clear
definition of a core subset
for servers.
I realize its exciting for consultants, software and toolkit vendors
to have that sort of optionality, but in practice, its NOT A GOOD
THING in a protocol.
[quote]
It is a bit like saying an 18 wheeler is suitable for driving the
kids to school. :-)
I don't think this is true. Most oidc oauth extensions are optional
with the sole requirement that providers don't barf if you send them.
[\quote]
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
