[Openid-specs-heart] Flip the question of “Vanilla" OAuth vs. UMA
Debbie Bucci
debbucci at gmail.com
Mon Jul 13 00:48:39 UTC 2015
It does make sense and I can at least *see* your perspective. Not quite
covinced the gap are that wide and/or that adjust couldn't be made as we
move to pilot implementations.
Side by side ... is closer.
On Jul 12, 2015 8:05 PM, "Justin Richer" <jricher at mit.edu> wrote:
> An OIDC client and an OAuth client are after different things, though.
> OIDC is an authentication and identity protocol, OAuth is neither. An OIDC
> client is going to specifically be looking for the id_token and
> specifically asking for the 'openid' scope in order to get it. The
> mechanics on the wire, on the other hand, are nearly identical between the
> two, since an OIDC transaction really is just an OAuth transaction with a
> couple of special inputs (the 'openid' scope) and outputs (the 'id_token'
> in the token response). You can pretty easily build an OIDC client on top
> of an OAuth client.
>
> However, it's just not the same with UMA and OAuth (or OIDC). Think of it
> in terms of software: if I have an UMA client and I try to make it talk to
> a plain OAuth RS, it's going to have no idea what to do. Same goes the
> other way around. It's not a matter of "just a couple more redirects",
> since those redirects define a completely different protocol and require
> different code paths. If you're very, very careful you can have them side
> by side, and that's the best that we can work for in HEART in my opinion.
> But that doesn't mean we should try to figure out what both UMA and OAuth
> look like for every single use case. Especially when considering you can do
> AS introduction to both the client and RS outside of UMA (mostly -- we'll
> need to paste over some protocol gaps but it's all doable).
>
> And finally, in UMA 1.0, it's the RS that actually needs to know which
> scopes to give for a transaction. The user and client have no way of
> telling the RS which scopes they want, the RS just has to guess correctly
> and attach those to a ticket. The client in UMA is supposed to just take
> the ticket and let the AS figure out what to do with it.
>
> Hope this makes sense,
> -- Justin
>
> On 7/12/2015 7:57 PM, Debbie Bucci wrote:
>
> >>> Unfortunately, there's no "is_alice" flag in the protocol stack
> that we can count on.
>
> Maybe there should be. How does a client know its an OIDC client ....
> the presence of the id_token? An OAUTH client needs direct the resource
> owner (assumed Alice?) to get a token on its behalf by somehow knowing
> what the authorization endpoint is ... typically done via the RO user
> agent and the redirect URI is/are given. In the delegated flow ... Alice
> is not around ... could that be a trigger? Bob (delegate) will need to
> have a pre arranged relationship with the authorization server in some way
> or manner.
>
>
> >>>An UMA client needs to be able to be pointed to an AS, take in a ticket
> (as a JSON value, regardless of what encoding the API it's speaking to
> uses), talk to the "requesting party" endpoint to trade the ticket for a
> token, and then it needs to be able to gather the claims that the AS gives
> it hints for. As Eve keeps pointing out, those claims could be absolutely
> anything, fulfilled by the client or by someone else or just because it's
> Tuesday, so the client is really going to need to be written to a very
> specific profile of UMA for it to have any chance of doing something
> useful. Then it needs to come back with the ticket, again, and try to get a
> token, potentially repeating the claims gathering cycle if it guessed wrong
> on the last step.
>
> I believe you just [primarily] explained the *on the wire* on the ATT
> flow (thank you!).
> Following the flow ... it seems the burden is on the Requesting party to
> understand what claims the AS hints for - not the client.
>
> I may be naive but does a client really know how many redirects occurs
> until its has an access token?
>
>
>
>
>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150712/76c9d73f/attachment-0001.html>
More information about the Openid-specs-heart
mailing list