On Mon, Apr 27, 2009 at 8:25 PM, pkeane <pjke...@gmail.com> wrote: > I'm happy with OAuth for the typical sorts of social networking, > photo-sharing, etc. use cases, and I use it for that. But I'd very > much like to be able recommend it for more highly secure scenarios > here on campus (I work in higher ed) that might involve confidential > records. For OAuth to replace or be used in conjunction with the > cuurent campus SSO and federated systems like Shibboleth, we would > really need that extra level of verifiable security.
Hi Peter - SSO systems such as SAML/OpenID/others all use the equivalent of a callback token to bind the session at the identity provider to the relying party. The fix to the OAuth protocol is to make it look just like the "campus SSO and federated systems" that you mention above: OpenID: signature on authentication response. SAML POST profile: signature on authentication response. SAML artifact profile: random single-use artifact value. All of those systems pass a value that is unpredictable to the attacker to a trusted location at the consumer site. None of those systems force the user to do anything as obnoxious as manually type a pin at the consumer site. If you think manually typing a pin increases security, you should explain the attack you're trying to prevent. Why should OAuth have such a requirement if SAML and OpenID don't? So far the only concrete "explanation" I've seen is that ATMs require PINs, so OAuth should require a PIN. You're confusing two-factor authentication with federated authentication protocols. Two factor authentication is great, and it's fine for consumers and service providers to implement that. No change to the OAuth protocol is necessary to support it. Again, this is exactly analogous to the situation in OpenID and SAML. It's completely reasonable for a SAML IdP to implement two-factor authentication for their users, and doing so doesn't impact the SAML protocol one whit. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---