- From: Robert Collins <robertc@squid-cache.org>
- Date: Wed, 22 Feb 2012 11:53:27 +1300
- To: Barry Leiba <barryleiba@computer.org>
- Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Feb 22, 2012 at 11:36 AM, Barry Leiba <barryleiba@computer.org> wrote:
>> browser id, openid, and oauth are all authentication frameworks built
>> on top of HTTP
>
>
> OAuth is an authorization framework, not an authentication one. Please be
> careful to make the distinction.
I call rubbish:
http://tools.ietf.org/html/rfc5849#section-1.1
And I quote: " client
An HTTP client (per [RFC2616]) capable of making OAuth-
authenticated requests (Section 3).
server
An HTTP server (per [RFC2616]) capable of accepting OAuth-
authenticated requests (Section 3)."
OAuth certainly *thinks* it provides *both* Authentication *and*
Authorization, and it uses the same header that Basic and Digest do -
Authorization.
> What we're looking at here is the need for an HTTP authentication system
> that (for example) doesn't send reusable credentials, is less susceptible to
> spoofing attacks, and so on.
Those are good things too, though orthogonal to my point, which is
that some of the most widely deployed authentication - yes,
authentication - systems used by web sites are not part of the HTTP
protocol spec. OpenID and cookie based systems in general.
(Though OAuth is a pleasing exception in that it can and does
preferentially use the Authorization header).
-Rob
Received on Tuesday, 21 February 2012 22:53:55 UTC