I agree with Dick that it would be a mistake to make the URL one-time use.
It’s unenforceable and unnecessarily gets in the way of valuable deployment
patterns.
From: OAuth On Behalf Of Dick Hardt
Sent: Thursday, August 27, 2020 9:12 AM
To: Justin Richer
Cc: Brian Campbell ; oauth
Subject:
I agree. While the original motivations for OAuth were to support
third-party apps, it's proven to be useful in many other kinds of
situations as well, even when it's a "first-party" app but the OAuth server
is operated by a different organization than the APIs. I don't think the
abstract needs any
It does not make sense to use OAuth in most single party situations. These
single-party OAuth use cases are frequently a complete misuse of the framework.
I +1 the language “3rd party” in an effort to steer implementors in the right
direction.
--
Jim Manico
@Manicode
> On Aug 28, 2020, at 5:0
> On 28. Aug 2020, at 16:56, Dick Hardt wrote:
>
> Well, OAuth is not very useful in a monolithic application. No need for an
> interoperable protocol for that kind of application.
I don’t know why we need to make any assumptions about the application that
uses OAuth. A lot of assumptions mig
Well, OAuth is not very useful in a monolithic application. No need for an
interoperable protocol for that kind of application.
And in separating functions, you are creating separate trust domains. Yes,
it is still all internal, but it enables a separation of concerns.
ᐧ
On Fri, Aug 28, 2020 at 7
In my experience OAuth is used in 1st party scenarios as means to separate
functions (e.g. central user management vs. different products) within the same
trust domain thus enabling architectural flexibility.
I would just remove any constraint on the kind of applications OAuth can be
used for.
The driver in my opinion for first-party use of OAuth is to separate the
trust domains so that the application is scoped in what it can do vs an
application that has full access to all resources. I agree that third-party
can indicate that internal use does not apply. How about the following?
Th
Thanks for the response Brian, I agree with your comments. I’ve been scratching
my head for a non-OIDC example for the URI swapping issue, but can’t think of
one that isn’t very contrived at the moment.
— Neil
> On 26 Aug 2020, at 21:04, Brian Campbell wrote:
>
> Thanks Neil. Appreciate the r
I agree. OAuth works for 3rd as well as 1st parties as well.
> On 28. Aug 2020, at 05:26, Dima Postnikov wrote:
>
> Hi,
>
> Can "third-party" term be removed from the specification?
>
> The standard and associated best practices apply to other applications that
> act on behalf of a resource
