Hi Dick,
The solutions you list here focus on using a service worker to intercept an
outgoing call to a resource server. During interception, the service worker
attaches the access token. This pattern is mainly used to avoid inserting
access token logic into the application code. The SW attache
I HIGHLY recommend the authoritative blog post on the subject “OAuth 2.0 and
Sign-In”, written by a dear friend to many of us, Vittorio Bertocci, just over
a decade ago. While Microsoft took it down, it lives on in the Wayback Machine
at
http://web.archive.org/web/20130105031040/http://blogs.m
Philippe: would you expand on your comment:
On Wed, Aug 9, 2023 at 11:51 PM Philippe De Ryck <
phili...@pragmaticwebsecurity.com> wrote:
- Remove unproven and overly complicated solutions (i.e., the service
worker approach)
A quick Google on oauth service workers returned a number of articles a
Sorry -- I have not read this thread in depth, so if you have another crisp
example, please send.
Your description sounds like an identity problem and not an authorization
problem. OAuth solves the latter, and it is a feature that the RS does need
to know the client, only that the client is author
I'm running out of ideas to get the point explained...
Ok let's try it from an abstract view:
Think about a school where your kid is allowed to get picked up by a
legitimated list of persons -> ok
Now think about the school saying I'm trusting a third party about
identifying any person on th
This sentence does not make sense to me "which AS is AUTHORIZED at which RS
acting as the user"
The RS server has delegated authorization decisions to the AS
The client is acting as the user
On Thu, Aug 10, 2023 at 2:59 PM Matthias Fulz wrote:
> I can follow your point but please try to think
I can follow your point but please try to think from a different
perspective:
As authorization protocol, how can it not let the user decide which AS
is AUTHORIZED at which RS acting as the user?
On 8/10/23 23:28, Dick Hardt wrote:
"auth providers" is an extremely confusing term.
OAuth has
"auth providers" is an extremely confusing term.
OAuth has no involvement in the content an RS provides the client -- the AS
only provides authorization to access the content at the RS.
It is common that the AS and RS are the same entity, but the protocol is
designed to have a separation of conce
Per https://openid.net/specs/openid-connect-core-1_0.html
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
protocol. It enables Clients to verify the identity of the End-User based
on the authentication performed by an Authorization Server, as well as to
obtain basic profile i
On Thu, Aug 10, 2023 at 4:30 PM Hans Zandbelt
wrote:
> On Thu, Aug 10, 2023 at 9:40 PM George Fletcher 40capitalone@dmarc.ietf.org> wrote:
>
>> Hi Matthias,
>>
>> First, OAuth is about authorization and NOT authentication. If you are
>> concerned with Authentication then this thread should m
I get your points, but still let me ask a stupid question:
Even if (and I can follow your arguments why) it is in general out of
scope, why couldn't it be included into OAuth to avoid such issues at
the core layer that other software is relaying on?
I mean: Of course in a perfect world the au
On 8/10/23 10:25, Warren Parad wrote:
You've lost me at this:
Some site, which I'm registered in is trusting some oauth provider
I'm not even knowing about. I'm not registered at this provider.
If this provider is (independent how or from whom) is used in a
malicious way, they c
On Thu, Aug 10, 2023 at 9:40 PM George Fletcher wrote:
> Hi Matthias,
>
> First, OAuth is about authorization and NOT authentication. If you are
> concerned with Authentication then this thread should move to the OpenID
> Connect working group mailing list :)
>
Allow me to set the public record
Hi Matthias,
First, OAuth is about authorization and NOT authentication. If you are
concerned with Authentication then this thread should move to the OpenID
Connect working group mailing list :)
Second, if I'm understanding the problem correctly, the issue is NOT with
OAuth (the protocol) or the
Hi Philippe, I look forward to discussing this with you at the OAuth
Security Workshop later this month. Like I mentioned to you last year, I
want to make sure your concerns are adequately captured in the document.
The goal for this draft is not to present the one "best" architecture for
browser-b
I agree with Philippe here.
If there are already documented attack vectors working around the techniques
presented in this document, then I worry it will give people a false sense of
security if they follow the guidance contained therein.
-Brock
On 8/10/2023 2:51:35 AM, Philippe De Ryck
wro
You've lost me at this:
Some site, which I'm registered in is trusting some oauth provider I'm not
> even knowing about. I'm not registered at this provider. If this provider
> is (independent how or from whom) is used in a malicious way, they can
> access my account, without my knowledge by sendi
17 matches
Mail list logo
