discussion: OAuth - using OAuth just for authentication #1966
Comments
tghosth
added
1) Discussion ongoing
|
I am not sure what could be our actionable recommendation for this issue though. Maybe as a guide, let's write down the concern from this statement:
Got any ideas @jsherm-fwdsec and @TobiasAhnoff? |
csfreak92
added
the
Community needed
I'm not sure I understand what you mean by that. OIDC is a layer on top of OAuth so … |
elarlang
changed the title
elarlang
changed the title
|
My reason to open the issue - OAuth was not built for authentication, but if it used only for that purpose, is it acceptable soluton or over-engineering opens too many security holes. https://auth0.com/intro-to-iam/what-is-oauth-2
@csfreak92 - I agree, based on my current knowledge, actionable requirement is not a likely outcome at the moment. I changed the issue title and removed the "proposal" part from this, at the moment the goal is to have a discussion and collect arguments, is it worth having a requirement, recommendation, or mention in chapter texts, or all concerns are covered somehow with other requirements? @randomstuff - yes, it was bad wording from my side. Including the issue title (modified this one as well). I have seen too many times, that "authentication decision" or user data is read from an JWT format access token. Access token is not meant for that. Often only every token from the same authorization server is valid - and if it provides tokens to different applications (which is usually the case because this is the entire point of that), every valid token from the same authorization server is enough to authenticate to the application. So, my goal here is to collect feedback and arguments, is this something that requires further attention or not. |
|
There is absolutely a use-case to do a flow that includes both an OIDC claim (identity) and an OAuth2 claim (delegation) at the same time.
… directly OIDC should be used without OAuth overhead
I'm not sure I understand what you mean by that. OIDC is a layer on top of OAuth so …
|
spin-off from #1916 "Discussion/Proposal 4"
There is a clear trend of overengineering using OAuth. One of them is using OAuth only for providing authentication. In this case, directly OIDC should be used without OAuth overhead.
Also addressed here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-7.1
The question is - should we watch it only as unnecessary overengineering, or as a security problem to open up a new set of attack vectors.
--
Feedback from @tghosth in #1916 (comment)
The text was updated successfully, but these errors were encountered: