Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

Why use OAuth when OpenID does everything that OAuth can do as an authentication method and does a few things much better? Specifically OAuth lacks any defined way to: -feed back any additional information like the real user ID (as opposed to what the entered) -bound an authentication event in

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

I am not against using OAuth to build other protocols. I am only concerned that when people build those things they perform the appropriate security analyses, and not make inappropriate assumptions about the underlying protocol. You can certainly use OAuth to authenticate a principal to a clie

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

I think this is becoming a largely academic / philosophical argument by this time. The people who designed OAuth will likely point out that it was conceptualized as an authorization protocol to enable a RO to delegate access to a client to access its protected resources on some RS. And of cour

Re: [OAUTH-WG] draft-ietf-oauth-revocation

+1 Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainh...@us.ibm.com From: George Fletcher To: Torsten Lodderstedt , Cc: "oauth-boun...@ietf.org" , OAuth WG Date: 02/05/2013 04:35 PM Subject:

Re: [OAUTH-WG] draft-ietf-oauth-revocation

I'm fine with this solution as well. --George On 2/5/13 3:45 PM, Torsten Lodderstedt wrote: I know, that's why I asked. I think this is the simplest way to deal with this type of error. I therefore prefer it. Am 05.02.2013 um 20:49 schrieb Justin Richer >: You know

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

OIDC seems about the most plausible candidate for a “good general solution” that I’m aware of. -T On Tue, Feb 5, 2013 at 1:22 PM, William Mills wrote: > There are some specific design mis-matches for OAuth as an authentication > protocol, it's not what it's designed for and there are some probl

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

There are some specific design mis-matches for OAuth as an authentication protocol, it's not what it's designed for and there are some problems you will run into.  Some have used it as such, but it's not a good general solution. -bill From: Paul Madsen To: Jo

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

why pigeonhole it? OAuth can be deployed with no authz semantics at all (or at least as little as any authn mechanism), e.g client creds grant type with no scopes I agree that OAuth is not an *SSO* protocol. On 2/5/13 3:36 PM, John Bradley wrote: OAuth is an Authorization protocol as many of

Re: [OAUTH-WG] draft-ietf-oauth-revocation

I know, that's why I asked. I think this is the simplest way to deal with this type of error. I therefore prefer it. Am 05.02.2013 um 20:49 schrieb Justin Richer : > You know, that works as well. From the client's perspective, the token isn't > good anymore. The client shouldn't care if the tok

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

Another very good writeup of this was published recently as well: http://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx This confusion seems to be a major sticking point among developers. -- Justin On 02/05/2013 02:52 PM, Prabath Siriwardena wrote: FYI and for your

Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?

OAuth is an Authorization protocol as many of us have pointed out. The post is largely correct and based on one of mine. John B. On 2013-02-05, at 12:52 PM, Prabath Siriwardena wrote: > FYI and for your comments.. > > http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication

[OAUTH-WG] AUTO: Codur Sreedhar Pranam is out of the office (returning 02/19/2013)

I am out of the office until 02/19/2013. Note: This is an automated response to your message "OAuth Digest, Vol 52, Issue 17" sent on 02/06/2013 3:49:52. This is the only notification you will receive while this person is away.___ OAuth mailing li

[OAUTH-WG] Why OAuth it self is not an authentication framework ?

FYI and for your comments.. http://blog.facilelogin.com/2013/02/why-oauth-it-self-is-not-authentication.html Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com ___ OAuth mailing list OAuth@ietf.org htt

Re: [OAUTH-WG] draft-ietf-oauth-revocation

You know, that works as well. From the client's perspective, the token isn't good anymore. The client shouldn't care if the token was good in the first place if it's revoking it. -- Justin On 02/05/2013 02:41 PM, Torsten Lodderstedt wrote: Why not adopting Bill's suggestion and just return H

Re: [OAUTH-WG] draft-ietf-oauth-revocation

Why not adopting Bill's suggestion and just return HTTP status code 200 for (already) invalid tokens? regards, Torsten. Am 05.02.2013 um 17:46 schrieb Todd W Lainhart : > > Could it do something with invalid_parameter that it couldn't do with > > invalid_token_parameter (among others), or vice

Re: [OAUTH-WG] draft-ietf-oauth-revocation

> Could it do something with invalid_parameter that it couldn't do with invalid_token_parameter (among others), or vice versa? I'm not imagining a client doing anything programmatically useful with the distinction. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton,

[OAUTH-WG] Does Facebook login OAuth 2.0 compatible ?

Here are some references that I found they do not.. thoughts appreciated... 1. https://developers.facebook.com/docs/howtos/login/login-as-app/ 2. https://developers.facebook.com/docs/howtos/login/extending-tokens/ 3. https://developers.facebook.com/docs/howtos/login/login-as-page/ Thanks & Regard

Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?

Dale is correct, I was misremembering slightly -- UAA does not do what we would really call dynamic registration with SCIM, but rather does a static client provisioning using SCIM as the API for provisioning the client objects. Still, it's a real-life implementation of something similar that we

Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?

The counter argument is that if you do something that's half way between two fairly well-established programming practices, then you can end up making a strange chimera. I agree that we shouldn't "boil the ocean", but dictating HTTP verb usage on the endpoint is far from that. The crux of my a