Re: [OAUTH-WG] Auth Server / Resource Server Coordination

Tue, 13 Oct 2015 07:44:56 -0700 

Centralizing the user auth yes, it doesn't even have to be multiple types of RS 
for this to win.  It reduces your attack surface and allows your auth stack to 
be separate from your app stack are two of the good things.  Auth is a 
specialized thing and hard to do right, and pulling it down to a much smaller 
pool of machines than your main application servers lets you more easily see 
and deal with abuse. 


     On Monday, October 12, 2015 9:36 PM, Jim Manico <j...@manicode.com> wrote:
   

 This seems like a reasonable approach. Isn't the whole idea of the auth 
server/resource server separation in OAuth 2.0 so that one auth server can 
govern multiple resource servers?

--
Jim Manico
@Manicode

> On Oct 13, 2015, at 6:13 AM, Ofer Nave <odig...@gmail.com> wrote:
> 
> I know the OAuth 2.0 RFC doesn't specify any standards for coordination 
> between the Authorization Server and the Resource Server, as it's generally 
> assumed that both will be owned or operated by the same entity.
> 
> However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a feature 
> to make it easy for other API developers to delegate to me the responsibility 
> of handling the auth grant process and issuing access tokens.
> 
> It seems to me that a simple version of this could be easily done by:
> 
> 1) Defining an Access Token format that contains within it everything a 
> Resource Server will need to validate it and determine the level of access 
> granted (list of scopes, expiration datetime, HMAC signature using a shared 
> secret).
> 
> 2) Providing a means (basic web UI) for Resource Server owners to register a 
> set of scopes for their service, along with user-understandable descriptions 
> of each to display when they arrive at my Authorization Endpoint.
> 
> While I've read the relevant RFCs, I'm new to the OAuth domain, and would 
> appreciate any feedback. Is this a stupid idea?  Is this a good idea, but 
> redundant with another standard I'm not aware of?
> 
> -ofer
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


  
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to