One thing to think about is that often people are talking in different ways about the same thing. E.g. in the article, people are talking about authentication as a service, where as in the IETF we talk about authentication as a protocol.
Mike, Tony, and I ran into this when we named the draft “User Authentication for Clients”. What we recognized was that at a protocol level, OAuth is being used to pass session information to a client. UA4C doesn’t do authentication but passes parameters and session information. When we talked about UA4C in the OAuth WG we got caught up (wrongly) in whether OAuth WG even has a mandate that includes authentication. Yet, “authentication service” is all over OAuth (directly and indirectly - e.g. client authentication vs user authen). Developers use OAuth as a service because it depends on authentication of all parties (Users, clients, and service providers, and endpoints). Yet, in naming the draft we had to address the idea that what client developers want is access to a User authentication “service” which is how they view OAuth. The difference between authentication as a “service” vs. “protocol” is subtle but seems important. I’m not sure if this is the thread that can explain the difference to the common IETF contributor and developer communities — otherwise, I’d be all over it. Phil @independentid www.independentid.com [email protected] > On Dec 1, 2014, at 8:42 AM, Kathleen Moriarty > <[email protected]> wrote: > > Hi Hannes, > > When something is written up and agreed upon, I'd recommend that we > tweet about it in force to get the writeup some attention in an effort > to help prevent this in the future. I could blog about it in the IESG > blogs too if helpful. > > On Mon, Dec 1, 2014 at 11:25 AM, Hannes Tschofenig > <[email protected]> wrote: >> Hi all, >> >> I fear we have to write another article to clarify what OAuth does and >> what it does not do based on the misinformation spread with this recent >> article: >> http://www.techopedia.com/definition/26694/oauth >> >> A quote from that article: >> " >> Graham Williams, a Vancouver-based technology expert, points to what is >> known as an "open authentication protocol" — or OAuth — where people >> often unwittingly share personal information with third-party websites. >> " >> >> Ciao >> Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > > > > -- > > Best regards, > Kathleen > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
