Anyone read this topic or could tell if there is a better place to adress this?
Sent from Nine <http://www.9folders.com/> -------------------------------- Von: mfulz Gesendet: Sonntag, 16. Juli 2023 03:38 An: oauth@ietf.org Betreff: [OAUTH-WG] OAuth Trust model Hi Together, I was thinking about some (at least I see it in that way) problem in the whole oauth/openid design: The problem is the following: The user has no control about what providers are accepted by the clients (websites, etc.) and this opens access to these providers without any way to protect against that. Example: I've created an account with email/password login at stackoverflow I've created an account with the same email at github -> logged out from stackoverflow -> logged in via github oauth -> working and connected to the email/pw account from stackoverflow Stackoverflow has the possibility to remove the github login now, but the main problem is, that I would be out of control, that some of these oauth providers (please don't go into the discussion WHY they or anyone should do it) could access my accounts, when such site would allow them as provider. In my opionion it would be good to avoid such issues, by including something in the standard, that the user MUST allow the connection on both sides on the client and on the provider. Yes for sso without any existing account that's some kind of an issue, but still it could be added some verification process like sending confirmation link That the user is accepting the oauth provider on the Client side. Then the oauth provider would also need access to my emails to access my account. Not sure if I'm wrong here but I think my description is correct. BR, Matthias
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
