oidc-deploy - RE: a start, OAuth2 use cases, thoughts on addressing each
Subject: OIDC Deployment Working Group
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: a start, OAuth2 use cases, thoughts on addressing each
- Date: Thu, 9 Aug 2018 16:21:49 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:IjqWZBE7Njpau/LOe+TevZ1GYnF86YWxBRYc798ds5kLTJ7yr82wAkXT6L1XgUPTWs2DsrQY07SQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDuwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VjO/4ad2Ux/okDkIOCIl8G/ZjcxwibhUoBOnpxdix4LZb4WYOP94c6jAf90VWHBBU95RWSJfH428c4UBAekPPelaronyu1QAohSlCAmwH+zj1iNEimPq0aA41ekqDAHI3BYnH9ILqHnao8/1NKYOXuuozafIyjLDYO5T2Tjn7ojDbxcsr/6WXbJxbcXd00ghFwTCjlqNrIzqJTWV2/8Qs2eH6OpgTfijhHA6pAFsuzWiwNonhIfOhoIQ0F/E9CN5zZ46Jd2/T057btqkH4VKuy6GMIt2R8UvSHxrtiYi0rAKpIK3cScQxJkoxRPTcfKKfouS7h/sVuudOSp0iGxmdb6liBu/8lKsx+LzW8WuzVpGsjdJnsHCtn8T1BHf9s2KR/5+80quxzqDyQXe5+VaLU8plKfWLpAhzqAqmZUNtEnOGi37lFn2gaKQa04q4PKn6/79bbXjvpKcN5F7igX5Mqk2gsKyHeM2PhQQU2SC5Omy0qPv8VT+QLpRkPI6iK7ZsI3GJcsAoa65HglV3Zs55xanFTem18gYkmcbI1JZeRKHiI7pN0vJIPDlEfe/h1OskDBox/zcIrLhBZDNImDCkLfnY7l991ZRxBcvwd1Q/Z5ZBbMMLOj9V0LyrtDVAR00PxSxw+n9CdV90o0eWXiIAq+cKK7cvkWI5uMzLOWWZYEVvzH9JOUg5/H0i380gkIdcrWu3ZsPcny3AOlpI1iBbXr2ntgBCXsKvhY5TOHyiV2CVyJcZ3G3X6I54TE7DpiqDYDZRoCimbCB2ya7EYBKaWxfF1+DD2/od4GDW/YMcy+SJs5hkicYVbi6VYMtzxCutAnmy7V5NOrU/DMXtY792NRv+eLciAwypnRICJHX1GCBRCR4k3sMQC4e3aZ0pkl4zVHF1rJ3ybQMEt1f7LZFXx8+Mo/0zupxDNX3XQSHec2GHgWIWNKjVBwrT9l57NgJb0N0HZ32owrC1GyFBLgZkrWNLIE/9bqa0nTscZUug03a3bUs2gF1CvBEMner0/IurVKBDpPVk0ifi6ehfLgd2yiI7mqY0G6Spx8EAhVoX/DDWnYSLgvNoNL161mKbofmCK9vc24jgdWHNrMMb9ToiVtcQ/K2Fc7faCSenGC8AB+O7q6Ha5KsdmkAj23Q
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
I separately sent a note to Nathan that I'm on the agenda for the UC-wide API
"standards" workgroup to discuss what people are doing/looking with
OIDC/OAuth. That meeting is a week from Friday, so hopefully I'll have some
data points to provide after that meeting -- which is unfortunately after our
next OIDC group meeting. Vaguely related, I'm at a conference next Tuesday,
so may miss next week's call.
--- Eric
-----Original Message-----
From:
<>
On Behalf Of Steven Carmody
Sent: Thursday, August 9, 2018 8:43 AM
To:
Subject: a start, OAuth2 use cases, thoughts on addressing each
Hi,
On last week's call, Alan, Roland, and I volunteered to identify the
most common OAuth2 use cases currently in place on campuses; step 2 was
to identify best practice for addressing each; step 3 would be to see
how much of the required support is already available in the
Shibboleth-GEANT-Finish OIDC work.
We had an email conversation, but it quickly became clear that this
would benefit from participation by the broader group.
I've created a new google doc:
https://docs.google.com/document/d/15G_YRWisEa-5Kj5gU_D-i4MLMh-IJWl0Q5CAsqSy4ag/edit?usp=sharing
everyone should be able to edit that doc. It includes large portions of
the email that Alan and I exchanged.
I'm on the way out the door to a family wedding (this won't be anywhere
near as much fun as our daughter's wedding in Dublin this past June --
that was five days of parties!), but fun nonetheless !
As you'll quickly see, this doc needs a lot of editing. More than that,
it needs people with more OAuth2 knowledge than me working on it. I'm
also not completely sure that I may be operating with out-of-date
assumptions. For instance, a couple of years ago most Native Apps were
using OAuth2 to authenticate users -- is that still true ? The current
recommendation for Native Apps seems to be to use "Authorization Code
Grant Type with PKCE (Proof Key for Code Exchange)" -- do apps really
use that ?
The doc also leaves too many open questions hanging ... again, here's
hoping that people with more knowledge and more current knowledge can
improve the doc.
Here's hoping people have a chance to review this, mark it up, improve
it, and perhaps discuss it on the next call. Unfortunately, I'll miss
the next call. Sorry.
- a start, OAuth2 use cases, thoughts on addressing each, Steven Carmody, 08/09/2018
- RE: a start, OAuth2 use cases, thoughts on addressing each, Eric Goodman, 08/09/2018
- Re: a start, OAuth2 use cases, thoughts on addressing each, Nick Roy, 08/09/2018
- RE: a start, OAuth2 use cases, thoughts on addressing each, Eric Goodman, 08/09/2018
Archive powered by MHonArc 2.6.19.