Hi Together,
I was thinking about some (at least I see it in that way) problem in the
whole oauth/openid design:
The problem is the following:
The user has no control about what providers are accepted by the clients
(websites, etc.) and this opens access to these providers without any
way to protect against that.
Example:
I've created an account with email/password login at stackoverflow
I've created an account with the same email at github
-> logged out from stackoverflow
-> logged in via github oauth -> working and connected to the email/pw
account from stackoverflow
Stackoverflow has the possibility to remove the github login now, but
the main problem is, that I would be out of control, that some of these
oauth providers
(please don't go into the discussion WHY they or anyone should do it)
could access my accounts, when such site would allow them as provider.
In my opionion it would be good to avoid such issues, by including
something in the standard, that the user MUST allow the connection on
both sides on the client
and on the provider.
Yes for sso without any existing account that's some kind of an issue,
but still it could be added some verification process like sending
confirmation link
That the user is accepting the oauth provider on the Client side.
Then the oauth provider would also need access to my emails to access my
account.
Not sure if I'm wrong here but I think my description is correct.
BR,
Matthias
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
