On Thu, Jun 2, 2011 at 11:40 AM, Thomas Hardjono <[email protected]> wrote:
> Well, not to belabor this point :) but in Kerberos it is the proof of > possession of the client secret key which _is_ the authentication mechanism. > There is also PKINIT (RFC4556) which can be used to "pre-authenticate" the > user via Diffie-Hellman (anonymous) or a full X509 certificate. > The kerberos notion of "client" is not the same thing as the OAuth notion of "client". The "client" in kerberos maps to the OAuth "user". The "client" in OAuth is the application the user is using. Kerberos does not, for example, try to authenticate the kinit binary. It just tries to authenticate the person using the kinit binary. Kerberos does have a notion of forwardable service tickets that authenticate both the user and the service they are using; that's a much closer match to what OAuth2 does.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
