This time I am really puzzled by OAuth.
When I stumbled over it I began reading the available resources, from the home page to the Getting Started document and finally all of the OAuth 1.0 core specs.
OAuth is repeatedly claimed to be about authentication:
an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications
(OAuth home page, promised right upfront top)
More generally, OAuth creates a freely-implementable and generic methodology for API authentication.
(OAuth Core 1.0 Specifications, Abstract)
So far so good....what puzzles me so much is the fact that according to my understanding of authentication, OAuth isn't about authentication at all.
But decide yourself:
I consider authentication a well defined security concept:
Authentication
Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors.
So here is what one would expect from OAuth if it would be about authentication, based on their own example:
A typical example offered by the spec (Appendix A) is when a user wants to print a photo stored on another site. The interaction goes something like this: the user signs into the printer website and place an order for prints. The printer website asks which photos to print and the user chooses the name of the site where her photos are stored (from the list of sites supported by the printer). The printer website sends the user to the photo site to grant access. At the photo site the user signs into her account and is asked if she really wants to share her photos with the printer. If she agrees, she is sent back to the printer site which can now access the photos. At no point did the user share her username and password with the printer site.
(OAuth Getting Started)
I take the freedom to reduce this to the following use case:
Which I resumed as follows:
- The user wants to print an image using a print service.
- The print service should get the photo on behalf of the user from the user's photo service.
- The user should be able to authorize the print service to get the photo, without having to expose the credentials of the photo service to the print service.
So let's see where we need authentication in this use case:
- Between user and print service
- Between user and photo service
- Between print service and photo service
So far so good. What one would expect is that OAuth is "somehow" about these three points (or part of them).
But surprise. Here is what the OAuth 1.0 core specs state:
1)
OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials with the Consumer.
(OAuth Core 1.0 Specifications, 6. Authenticating with OAuth)
2)
The Service Provider verifies the User’s identity and asks for consent as detailed. OAuth does not specify how the Service Provider authenticates the User.
(6.2.2. Service Provider Authenticates the User and Obtains Consent)
and:
When displaying any identifying information about the Consumer to the User based on the Consumer Key, the Service Provider MUST inform the User if it is unable to assure the Consumer’s true identity. The method in which the Service Provider informs the User and the quality of the identity assurance is beyond the scope of this specification.
(6.2.2 Service Provider Authenticates the User and Obtains Consent, last paragraph)
From my point of view, and the well established definition of authentication:
1) is a total contradiction, or at best a re-definition of authentication, to another well defined security concept, namely authorization:
Authorization
In security engineering and computer security, authorization is the concept of allowing access to resources only to those permitted to use them. More formally, authorization is a process (often part of the operating system) that protects computer resources by only allowing those resources to be used by resource consumers that have been granted authority to use them. Resources include individual files' or items' data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer programs and other devices on the computer.
2) states clearly that OAuth is not concerned with authentication between the user and the service.
3) states clearly that OAuth is not concerned with authentication between the services (consumer and provider).
So, maybe I am missing the point totally, or OAuth isn't about authentication at all.
3 comments:
I couldn't agree with you more. Well stated.
I was just slated with a request to "use OAuth for our new authentication model". It's a silly statement, and the spec and overviews are really guilty of perpetuating this confusion, and they seem loathe to correct it.
I think its authentication actually, since without the oauth tokens & secrets from the consumer, the provider doesnt know who the user is at all. The only way authentication can occur is by using this data.
The authorisation occurs at the photo service in your example case, and can be extended or revoked by the user at any time - no real oauth process specific stuff required.
Initially the process may appear as authorisation, during setup, but there is no actual requirement for a user to grant authorisation for anything, authentication is the only outcome oauth cares about, the rest is your usecase specific. But many usecases make more sense if you also grant some authorisation at the same time during initial setup.
Once the oauth dance has occurred, then its really only authentication imo.
Anonymous #2:
I can follow your argument, specifically if you are looking at the isolated part from the moment the access token is being used (Appendix A.5. Accessing Protected Resources).
If you want to, you may call it "a form of digest based authentication" with a previously established secret, but I really don't think it's a mayor part of what OAuth as a protocol is about (but then, as everything it may be just a point of view).
From my point of view, if you reduce everything to the last part (i.e. "a form of digest based authentication"), then you may as well find an alternative that is far more secure and probably less complicated in terms of the number of transactions and their required security safeguards......and there would be absolutely no need for OAuth at all.
Regards,
Dieter
Post a Comment