[iRail] Authentication and online identity management - thoughts

Sat Jul 28 10:14:15 UTC 2012

Pieter,

For being the person who shared the article first, I think I have to 
disagree with you.

The main reason why the original authors of OAuth dislike OAuth 2.0 is that 
it's not a protocal anymore; it has become a framework. This means that it 
provides guidelines on how to build a credential system, but doesn't really 
provide a reference implementation nor strong requirements about, for 
example, token size and revokability; that means that even incorrectly 
secured or badly engineered implementations can be OAuth 2.0 compilant. As 
their initial intent with OAuth was to have a simple protocol that everybody 
could use and that was secure by default, they can't agree with what OAuth 
2.0 has become. To give authors more extensibility and compatibility with 
existing credentials systems, it was however nearly impossible for their 
vision to become concrete; welcome to the real world. OAuth 1.0 didn't scale 
well to big services and was asking too much to the average developer.

On the other hand, secure OAuth 2.0 implementations are possible (Facebook 
and others wouldn't have used it otherwise) and have the advantage of being 
compatible with the many available OAuth 2.0 clients implementations. Also, 
by forcing the use of HTTPS, OAuth 2.0 makes implementations much easier by 
deffering the security concerns to the transport layer instead of the 
application layer like OAuth 1.0 did (which is globally a good thing).

For what it's worth, WebID doesn't seem to provide any modern notion of 
identity management (revokable tokens, partial access...) and the draft 
seems to be unmaintained for at some time already; given how old the 
proposal is you can think about it as a dead protocol for now. But, again, 
both WebID and OpenID doesn't provide revokable tokens and all those things 
that made identity management possible and secure by default. OAuth 
originated from this faillure of OpenID to provide access delegation.

BTW, like it's said in the original article, I think that we shall not need 
to wait too long before people share stronger guidelines atop of the current 
specification as reference implementations; it's also worth to note that 
many OAuth 2.0 implementations out there are actually evolved OAuth 1.0 
implementations which means they kept most if not all of the security and 
conformance requierements of OAuth 1.0.

All in all, I personnally don't think replacing OAuth with anything else is 
opportunate at this time.
François

-----Message d'origine----- 
From: Pieter Colpaert
Sent: Saturday, July 28, 2012 2:03 AM
To: iRail mailing list
Subject: [iRail] Authentication and online identity management - thoughts

Hi all,

Context: for iRail 3.0, we're building a single sign on system for all
applications built at iRail. This means you will have one identity which
is connected to all iRail apps. What we are building can be viewed in
(pre-)alpha stage over here: https://id.iRail.be.

Yesterday I came across an interesting read concerning identity
management, single sign-on systems and OAuth [1]. It pretty much states
that OAuth2.0 failed doing what it should have done.

Building further upon OAuth2.0 seems like a bad idea in the long run for
PlugID [2]. Concerning iRail 3.0 and https://id.iRail.be, I still think
OAuth is the way to go as there won't be any de facto standard
alternative any time soon. For the open-source project PlugID I think we
should slowly start to look at viable alternatives, such as WebID [3].

What are your thoughts on this one?

[1] http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
[2] http://github.com/iRail/PlugID
[3] http://www.w3.org/wiki/WebID

Kind regards,

Pieter

-- 
iRail vzw/asbl
+32 (0) 486/747122
_______________________________________________
iRail mailing list
iRail at list.irail.be
http://lists.rootspirit.com/mailman/listinfo/irail 