Am 20.04.2010 22:19, schrieb Marius Scurtescu:
On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt
<[email protected]>  wrote:
As a major advantage the authorization server can be stateless with respect
to authorization transaction data because there is no need to hold such data
until the client obtains the tokens from the authorization server (callback,
client, verification code, identity and so on). This simplifies the
cluster/loadbalancing/fail-over architecture of the authorization server.
If making the authz server stateless is the major goal, you can
probably achieve that by encoding and encrypting all relevant data in
the verification code and set a short lifetime on it. Would that work?

This would work if the goal is stateless design only. I would also like to save the second call. Since the protocol prescribes a second request to exchange the verification code into the tokens, libraries will perform this call.


Moreover, the load on the authz server should be reduced and the client
saves the roundtrip time of the second call. This is even more important if
clients extensively use the new "immediate" parameter to implement a SSO
alike behavior and use this flow very often.
True, there is a small gain here, but on the other hand you don't have
do deal with crypto.

Assessment of the gain might depend on the point of view. My point of view is the authorization server operator and the expected absolut request volume. I think a client can use OAuth in two ways.

(1) The client performs the authorization process, obtains and stores the long-living refresh token. Within a user session, this client retrieves the refresh token from its database, acquires a corresponding access token and access the service.

(2) The client does not store the refresh token. Instead in every client session, it initiates the OAuth authorization process again. The Authorization server authenticates the user, probably with SSO experience, and responds with the already existing refresh tokens and a new access token.

(1) has the characteristics of a setup process and will probably performed a few times per user over a long period. Let's assume a user base of 10 million users, where every user access 3 application/day. Tokens are valid for 1 year and application setup is uniformly distributed over the year. This ((10 million users * 3 apps) / 365 days) makes roughly 100 thousand authorization requests per day + 30 million refresh token requests.

(2) in contrast, this variant has the characteristics of a SSO solution. This would result in 60 million requests per day (10.000.000*2*3), instead. So variant (2) would double the load, which in the first place is a cost driver. My proposal will cut (2) down to 30 million requests.

Please correct me if I'm wrong.

Yes, you have to deal with crypto in order to implement my proposal. A lot of people seam to have problems with it, but others not. I mean cryptography is the foundation of reliable security. Yes it makes implementing applications harder, but sometimes you cannot circumvent it in order to achieve a protection or other goal (e.g. scalability, fault-tolerance, performance). Kerberos has shown sucessfully how to trade crypto for incredible performance and scalability. My proposal is intended as an variant of the flow, deployments are free to choose. I think most of them will use the simpler approch, but why not offering an option for the rest that is standard compliant, too? Without standard approval, there will no support in libraries, which make implementation even harder :-(

regards,
Torsten.

Marius


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to