On Tue, Jul 9, 2024 at 7:20 PM Scott Q. via mailop <mailop@mailop.org> wrote:
> What exactly is missing for broad acceptance ? > > https://openid.net/specs/openid-connect-discovery-1_0.html defines some > pretty clear ways to autodiscover the endpoints. > > MS & Google and Keycloak both offer this URL: > > > https://login.microsoftonline.com/domain.com/.well-known/openid-configuration > https://accounts.google.com/.well-known/openid-configuration > > I believe the latest Yahoo mobile app won't even connect to imap/smtp > servers that don't have oauth2 support. > > It seems as if the big guys are closing down the eco-system... > Or they have hundreds of millions of customers who routinely suffer from password hijacking attacks on a scale that's hard to imagine and regular password based login for smtp/imap has almost no mechanisms to use any of the advanced login behaviors that the eco-system has pushed, including 2FA, webauthn, and passkeys not to mention more advanced risk assessment and barriers to bots and hijacking attempts. Using OAUTHBEARER punts the actual login to the web (or OS built-in oauth login supports) to protect customers. I've seen arguments that some of these types of large scale attacks are only possible due to the large scale providers existence... or in some cases, the large scale attacks and responses still allow a lot of small stuff through and maybe a system with more providers of smaller sizes would suffer less... maybe it would mean a larger number of anti-hijacking folks spread across such an eco-system. Or maybe a more various set of defenses across a larger number of providers would make it more complicated for attackers to concentrate their attacks... I'm not sure that has proven true in the spam attack eco-system, though, so unclear that would work in the hijacking one. Another interesting case there would be APTs and high value targets, that number of attacks is much smaller and more targeted, so may only be up to larger systems to have the attack exposure necessary to justify spending on defense against it. Anyways, hijacking, the slow agonizing death of password based auth, and the solution for imap/smtp (that while open may be imperfectly so) certainly have legitimate justification, and tying that to "closing down the eco-system" seems odd... certainly other providers can still offer password based auth, and it seems more incumbent on them and the client folks to figure out discovery. Oh, and that's before you get the entire third party services thing where you don't want your users giving random services their password, oauth solve that problem... and then the client-id validation is used to try and solve the cambridge analytica / unroll.me problem of problematic third party services. Honestly that issue is more of a problem for the open eco-system than the "big guys". Let me access your email to tell you which character trait you are from <insert latest popular movie/show/book series here>, what could go wrong... Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop