Hi Together,
I was thinking about some (at least I see it in that way) problem in the
whole oauth/openid design:
The problem is the following:
The user has no control about what providers are accepted by the clients
(websites, etc.) and this opens access to these providers without any
way t
Thank you for the responses so far.
On 8/9/23 22:20, Warren Parad wrote:
I can tell you I definitely read it. I actually read it multiple
times. But I don't know what to tell you. The problem you've
identified exists, but that doesn't necessarily mean it is a problem.
In a way it is a bit like
have an relationship with.
Further I could think of extended security, by using signed tokens with
user provided public key, so it's technically secured to just fake tokens.
On Thu, Aug 10, 2023 at 12:27 AM Matthias Fulz wrote:
Thank you for the responses so far.
On 8/9/23 22
nder full control of it. This
is not helping to protect the user from malicious intents.
On Thu, Aug 10, 2023 at 12:59 AM Matthias Fulz wrote:
I'm trying to explain my concern more deeply, please try to follow
my thinking.
First: Everything you've written is correct and
And that latter case is actually the reality if we consider
these tokens to be a 2FA mechanism that is managed by the
site/resource server. So I read this as, we should standardize
*WebAuthn *communication between a *user agent* and the
*resource server. *That alread
rom what I can understand in your discussion, you are wanting OAuth
to do something it is not designed for.
On Thu, Aug 10, 2023 at 2:03 PM Matthias Fulz wrote:
On 8/10/23 10:25, Warren Parad wrote:
You've lost me at this:
Some site, which I'm registered in is
The client is acting as the user
On Thu, Aug 10, 2023 at 2:59 PM Matthias Fulz wrote:
I can follow your point but please try to think from a different
As authorization protocol, how can it not let the user decide
which AS is AUTHORIZED at which RS acting as the us
It authoritatively covers much of the ground in our current
Read and enjoy!
-- Mike
*From:* OAuth *On Behalf Of * Dick Hardt
*Sent:* Thursday, August 10, 2023 5:46 PM
*To:* Matthias Fulz
*Cc:* oauth@ietf.o