[OAUTH-WG] OAuth Trust model

2023-07-15 Thread Matthias Fulz
Hi Together, I was thinking about some (at least I see it in that way) problem in the whole oauth/openid design: The problem is the following: The user has no control about what providers are accepted by the clients (websites, etc.) and this opens access to these providers without any way t

Re: [OAUTH-WG] OAuth Trust model

2023-08-09 Thread Matthias Fulz
Thank you for the responses so far. On 8/9/23 22:20, Warren Parad wrote: I can tell you I definitely read it. I actually read it multiple times. But I don't know what to tell you. The problem you've identified exists, but that doesn't necessarily mean it is a problem. In a way it is a bit like

Re: [OAUTH-WG] OAuth Trust model

2023-08-09 Thread Matthias Fulz
have an relationship with. Further I could think of extended security, by using signed tokens with user provided public key, so it's technically secured to just fake tokens. On Thu, Aug 10, 2023 at 12:27 AM Matthias Fulz wrote: Thank you for the responses so far. On 8/9/23 22

Re: [OAUTH-WG] OAuth Trust model

2023-08-10 Thread Matthias Fulz
nder full control of it. This is not helping to protect the user from malicious intents. On Thu, Aug 10, 2023 at 12:59 AM Matthias Fulz wrote: I'm trying to explain my concern more deeply, please try to follow my thinking. First: Everything you've written is correct and

Re: [OAUTH-WG] [External Sender] Re: OAuth Trust model

2023-08-10 Thread Matthias Fulz
And that latter case is actually the reality if we consider these tokens to be a 2FA mechanism that is managed by the site/resource server. So I read this as, we should standardize *WebAuthn *communication between a *user agent* and the *resource server. *That alread

Re: [OAUTH-WG] OAuth Trust model

2023-08-10 Thread Matthias Fulz
rom what I can understand in your discussion, you are wanting OAuth to do something it is not designed for. On Thu, Aug 10, 2023 at 2:03 PM Matthias Fulz wrote: On 8/10/23 10:25, Warren Parad wrote: You've lost me at this: Some site, which I'm registered in is

Re: [OAUTH-WG] OAuth Trust model

2023-08-10 Thread Matthias Fulz
The client is acting as the user On Thu, Aug 10, 2023 at 2:59 PM Matthias Fulz wrote: I can follow your point but please try to think from a different perspective: As authorization protocol, how can it not let the user decide which AS is AUTHORIZED at which RS acting as the us

Re: [OAUTH-WG] OAuth Trust model

2023-08-21 Thread Matthias Fulz
ive/2013/01/02/oauth-2-0-and-sign-in.aspx>. It authoritatively covers much of the ground in our current discussion. Read and enjoy! -- Mike *From:* OAuth *On Behalf Of * Dick Hardt *Sent:* Thursday, August 10, 2023 5:46 PM *To:* Matthias Fulz *Cc:* oauth@ietf.o