On Wed, Jan 28, 2009 at 12:58 PM, Hans Granqvist <h...@granqvist.com> wrote: > Sometimes I feel like we (people who have interest in the two concepts) > maintain there is a difference to justify standards' existence, even if > it's largely an academic difference with no pragmatic real meaning.
There are good reasons not to use the OAuth authorization protocol as an authentication protocol. (Note I said "protocol". HMAC-SHA1 is perfectly fine to authenticate a message, but a good authentication protocol needs to think about what those messages say.) Web authentication schemes should all have the following properties (borrowing liberally from Kim Cameron's laws of identity): - the message from the authentication authority should be signed. This keeps someone from spoofing authentication messages. - the message from the authentication authority should be directed: it needs to be targeted at a specific entity. This keeps one relying party from replaying an authentication message to another relying party. - the message from the authentication authority should be timestamped: this is necessary to prevent replay of authentication messages. - the identity from the authentication authority should be scoped: this is necessary to prevent one authentication authority from authenticating users that are actually from another authentication authority. The OAuth protocol doesn't try to address any of those requirements, nor should it. It's a good delegation protocol, but that doesn't mean it is usable out-of-the-box for authentication as well. You can build federated authentication systems on top of the OAuth signature scheme, though. For one example, check out two-legged OAuth from an opensocial container to a third-party. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
