Hi Steve, Thanks for your explanation! I have some further questions:
You said that OS-OAUTH doesn't make Keystone a proper OAuth provider, so what is missing? Can name some of the missing parts? Another thing, a backlog started by you proposed to unify delegation features [1]. Its spec uses terms of "trustor" and "trustee". Can I say that the unified delegation workflow will be more like (or even the same as) the one in current OS-TRUST? [1] https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html John Steve Martinelli <[email protected]> 於 2016年6月28日 週二 下午1:57寫道: > So, the os-oauth routes you mention in the documentation do not make > keystone a proper oauth provider. We simply perform delegation (one user > handing some level of permission on a project to another entity) with the > standard flow established in the oauth1.0b specification. > > Historically we chose oauth1.0 because one of the implementers was very > much against a flow based on oauth2.0 (though the names are similar, these > can be treated as two very different beasts, you can read about it here > [1]). Even amongst popular service providers the choice is split down the > middle, some providing support for both [2] > > We haven't bothered to implement support for oauth2.0 since there has been > no feedback or desire from operators to do so. Mostly, we don't want > yet-another-delegation mechanism in keystone, we have trusts and oauth1.0; > should an enticing use case arise to include another, then we can revisit > the discussion. > > [1] https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ > [2] https://en.wikipedia.org/wiki/List_of_OAuth_providers > > On Mon, Jun 27, 2016 at 11:15 PM, 林自均 <[email protected]> wrote: > >> Hi all, >> >> When I am searching for OAuth provider in Keystone, I found only OAuth >> 1.0. I am a little bit curious about the decision of 1.0 over 2.0. I failed >> to see the reason in the documentation >> <https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html> >> and this blueprint >> <https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth>. >> Is OAuth 2.0 not compatible with design of Keystone? >> >> John >> >> _______________________________________________ >> Mailing list: >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> Post to : [email protected] >> Unsubscribe : >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> >>
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
