On 12/05/2015 19:58, Alexis Métaireau wrote:
> On 12/05/2015 07:56, Ryan Kelly wrote:
>
>> Indeed, this is a thorny issue. There's a saying that "OAuth is
>> for authorization, not authentication" but it doesn't stop
>> people using it for authentication all the time.
>
> If OAuth is for authorization, then we're okay in that regard I
> believe, but for storage, we're using the bearer token as a proof
> of identity as well. Shouldn't we?
Are we?
Does the storage service need to authenticate the user, or does it
just need to know that the bearer of the token is authorized to act on
the user's behalf?
>> Perhaps we should add an explicit OpenID Connect layer that *is*
>> for authentication, and keep the OAuth stuff for proper
>> scope-based delegated authorization.
>
> I'm not sure what that would mean in terms of workflow?
To be honest, neither do I. But its wikipedia page [1] says that it
"is an authentication layer on top of OAuth 2.0, an authorization
framework" so it seemed relevant :-)
Cheers,
Ryan
[1] https://en.wikipedia.org/wiki/OpenID_Connect
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
