On 06/28/2016 03:18 AM, 林自均 wrote:
Hi Steve,
Thanks for your explanation! I have some further questions:
You said that OS-OAUTH doesn't make Keystone a proper OAuth provider,
so what is missing? Can name some of the missing parts?
Another thing, a backlog started by you proposed to unify delegation
features [1]. Its spec uses terms of "trustor" and "trustee". Can I
say that the unified delegation workflow will be more like (or even
the same as) the one in current OS-TRUST?
Yes. The idea is that Oauth is a more standard protocol, but leaves out
some of the details. Trusts fills in the details of how to specify the
delegation. They fit together nicely.
[1]
https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html
John
Steve Martinelli <s.martine...@gmail.com
<mailto:s.martine...@gmail.com>> 於 2016年6月28日 週二 下午1:57寫道:
So, the os-oauth routes you mention in the documentation do not
make keystone a proper oauth provider. We simply perform
delegation (one user handing some level of permission on a project
to another entity) with the standard flow established in the
oauth1.0b specification.
Historically we chose oauth1.0 because one of the implementers was
very much against a flow based on oauth2.0 (though the names are
similar, these can be treated as two very different beasts, you
can read about it here [1]). Even amongst popular service
providers the choice is split down the middle, some providing
support for both [2]
We haven't bothered to implement support for oauth2.0 since there
has been no feedback or desire from operators to do so. Mostly, we
don't want yet-another-delegation mechanism in keystone, we have
trusts and oauth1.0; should an enticing use case arise to include
another, then we can revisit the discussion.
[1] https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
[2] https://en.wikipedia.org/wiki/List_of_OAuth_providers
On Mon, Jun 27, 2016 at 11:15 PM, 林自均 <johnl...@gmail.com
<mailto:johnl...@gmail.com>> wrote:
Hi all,
When I am searching for OAuth provider in Keystone, I found
only OAuth 1.0. I am a little bit curious about the decision
of 1.0 over 2.0. I failed to see the reason in the
documentation
<https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html>
and this blueprint
<https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth>.
Is OAuth 2.0 not compatible with design of Keystone?
John
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
<mailto:openstack@lists.openstack.org>
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack