Matthias, > On Dec 23, 2025, at 9:29 AM, Matthias Fulz <[email protected]> > wrote: > > Yes and THAT IS THE PROBLEM: OAuth SHOULD take CARE about! It's the core > protocol and it totally ignores the Identity Owner itself in the whole trust > model.
The IETF does not police implementations of its protocols. OAuth best practices cover how to securely implement the OAuth protocol but does not mandate specific identifiers or kinds of identity validation - that is up to the AS implementation/configuration. In fact, an identity might not even be a person. If Facebook did not verify that you had access to the email account you supply as an identifier, that would be a clear security issue *in that implementation* and would likely have prevented that service from growing to its present size because users would not accept that impersonators could so easily hijack their email address. However, that is *not* the case, FB *does* validate you have control of the email address you use, and in fact they also validate your real name in some situations - my FB "real name" is not my real name since apparently one of us Michael Sweet's is famous/well-known and I didn't/don't trust FB enough to send them a picture of gov't ID to verify my real name... Similarly, if you want to add your phone number(s) to your FB account, you have to verify you have access to those numbers. Regardless of whether you use OAuth or some other scheme, the authorizing party is responsible for verifying your identity and establishing some way to validate access in the future, and *you* (the user) are responsible for trusting the authorizing party with your information to whatever extent you are comfortable. For me and Facebook, I was OK supplying a throw-away email address that I have access to and a pseudonym that is close enough to my real name to allow friends and family to find/contact me there. But they don't have my real name, address, phone number, or other email addresses that I use for different purposes. ________________________ Michael Sweet _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
