ive/2013/01/02/oauth-2-0-and-sign-in.aspx>.
It authoritatively covers much of the ground in our current
discussion.
Read and enjoy!
-- Mike
*From:* OAuth *On Behalf Of * Dick Hardt
*Sent:* Thursday, August 10, 2023 5:46 PM
*To:* Matthias Fulz
*Cc:* oauth@ietf.o
The client is acting as the user
On Thu, Aug 10, 2023 at 2:59 PM Matthias Fulz wrote:
I can follow your point but please try to think from a different
perspective:
As authorization protocol, how can it not let the user decide
which AS is AUTHORIZED at which RS acting as the us
rom what I can understand in your discussion, you are wanting OAuth
to do something it is not designed for.
On Thu, Aug 10, 2023 at 2:03 PM Matthias Fulz wrote:
On 8/10/23 10:25, Warren Parad wrote:
You've lost me at this:
Some site, which I'm registered in is
And that latter case is actually the reality if we consider
these tokens to be a 2FA mechanism that is managed by the
site/resource server. So I read this as, we should standardize
*WebAuthn *communication between a *user agent* and the
*resource server. *That alread
nder full control of it. This
is not helping to protect the user from malicious intents.
On Thu, Aug 10, 2023 at 12:59 AM Matthias Fulz wrote:
I'm trying to explain my concern more deeply, please try to follow
my thinking.
First: Everything you've written is correct and
have an relationship with.
Further I could think of extended security, by using signed tokens with
user provided public key, so it's technically secured to just fake tokens.
On Thu, Aug 10, 2023 at 12:27 AM Matthias Fulz wrote:
Thank you for the responses so far.
On 8/9/23 22
Thank you for the responses so far.
On 8/9/23 22:20, Warren Parad wrote:
I can tell you I definitely read it. I actually read it multiple
times. But I don't know what to tell you. The problem you've
identified exists, but that doesn't necessarily mean it is a problem.
In a way it is a bit like
Hi Together,
I was thinking about some (at least I see it in that way) problem in the
whole oauth/openid design:
The problem is the following:
The user has no control about what providers are accepted by the clients
(websites, etc.) and this opens access to these providers without any
way t
