Re: [OAUTH-WG] [External Sender] Re: OAuth Trust model

2023-08-10 Thread Dick Hardt
Per https://openid.net/specs/openid-connect-core-1_0.html OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile i

Re: [OAUTH-WG] [External Sender] Re: OAuth Trust model

2023-08-10 Thread George Fletcher
On Thu, Aug 10, 2023 at 4:30 PM Hans Zandbelt wrote: > On Thu, Aug 10, 2023 at 9:40 PM George Fletcher 40capitalone@dmarc.ietf.org> wrote: > >> Hi Matthias, >> >> First, OAuth is about authorization and NOT authentication. If you are >> concerned with Authentication then this thread should m

Re: [OAUTH-WG] [External Sender] Re: OAuth Trust model

2023-08-10 Thread Matthias Fulz
I get your points, but still let me ask a stupid question: Even if (and I can follow your arguments why) it is in general out of scope, why couldn't it be included into OAuth to avoid such issues at the core layer that other software is relaying on? I mean: Of course in a perfect world the au

Re: [OAUTH-WG] [External Sender] Re: OAuth Trust model

2023-08-10 Thread Hans Zandbelt
On Thu, Aug 10, 2023 at 9:40 PM George Fletcher wrote: > Hi Matthias, > > First, OAuth is about authorization and NOT authentication. If you are > concerned with Authentication then this thread should move to the OpenID > Connect working group mailing list :) > Allow me to set the public record

Re: [OAUTH-WG] [External Sender] Re: OAuth Trust model

2023-08-10 Thread George Fletcher
Hi Matthias, First, OAuth is about authorization and NOT authentication. If you are concerned with Authentication then this thread should move to the OpenID Connect working group mailing list :) Second, if I'm understanding the problem correctly, the issue is NOT with OAuth (the protocol) or the