[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OAUTH-WG] Flowchart for legs of OAuth

From: Anil Saldhana <Anil.Saldhana at redhat.com>
To: oauth at ietf.org
Date: Sat, 19 Mar 2011 13:37:22 -0500
In-reply-to: <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0 at P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <22FB565B-A701-4502-818F-15164D9E201A at oracle.com> <AANLkTimGjiCGk5dpA=YVzq5vDkLR2+caSz=pZ5WiZO9H at mail.gmail.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E at oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0 at P3PW5EX1MB01.EX1.SECURESERVER.NET>

I agree.  "2 party oauth", "3 party oauth"  tells  what it is, rather than
"3 legged oauth".

On 03/18/2011 07:20 PM, Eran Hammer-Lahav wrote:

The legs terminology is just plain awful. I prefer parties, roles, anything else.

EHL

-----Original Message-----
From: oauth-bounces at ietf.org [mailto:oauth-bounces at ietf.org] On Behalf
Of Phillip Hunt
Sent: Friday, March 18, 2011 5:07 PM
To: David Primmer
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth

I agree with what you are saying. We were having trouble understanding legs
too, so I came up with the diagram. The diagram does show the parties
aspect. But I remain uncomfortable about the terminology.

Phil

Sent from my phone.

On 2011-03-18, at 15:55, David Primmer<primmer at google.com>  wrote:

Hi Phil,

I actually think this rephrasing of the rule of thumb is not really
helpful based on how the word "legs" has been used in my experience of
discussing and teaching OAuth. I actually tried to be pretty explicit
about this topic in a talk I did at Google I/O last year because we
have lots of questions about 2 versus 3 legged OAuth since the launch
of the Google Apps Marketplace.
http://www.youtube.com/watch?v=0L_dEOjhADQ. I speak about 17mins

in.

We have traditionally used the terms two legged OAuth and three legged
OAuth to describe the trust relationships involved in the grant. I
think your interpretation is very different and not a common way to
use the terms 'legs' in relation to OAuth and will simply confuse
people. 2LO involves a client authenticating itself to a server. 3LO
involves those two previous actors, plus a user/resource owner who
delegates permissions to the client. In everyday use, 2LO is 'server
to server' auth with out of band permissions and user identity and 3LO
involves an individual grant where the user's grant is identified by a
token given to the client and passed to the server on access. Another
way to look at it is 2LO is just HTTP request signing.

davep

On Mon, Feb 21, 2011 at 4:45 PM, Phil Hunt<phil.hunt at oracle.com>  wrote:

FYI. I published a blog post with a flow-chart explaining the legs of OAuth.
http://independentidentity.blogspot.com/2011/02/does-oauth-have-

legs.

html

Please let me know if any corrections should be made, or for that matter,

any improvements!

Phil
phil.hunt at oracle.com

Follow-Ups:
- Re: [OAUTH-WG] Flowchart for legs of OAuth
  - From: Phil Hunt

References:
- [OAUTH-WG] Flowchart for legs of OAuth
  - From: Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth
  - From: David Primmer
- Re: [OAUTH-WG] Flowchart for legs of OAuth
  - From: Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth
  - From: Eran Hammer-Lahav

Prev by Date: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-saml2-bearer-03.txt
Next by Date: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-saml2-bearer-03.txt
Previous by thread: Re: [OAUTH-WG] Flowchart for legs of OAuth
Next by thread: Re: [OAUTH-WG] Flowchart for legs of OAuth
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.