[cap-talk] OAuth vs. CapDoc contrast
Jed Donnelley
jed at nersc.gov
Mon Oct 1 18:15:31 EDT 2007
On 9/30/2007 5:34 PM, Karp, Alan H wrote:
> Jed wrote:
>> In response to my questions Blaine Cook said:
>>
>> "OAuth is intended to replace Basic authentication"
>>
> And that's the fundamental flaw, it's IBAC, not ABAC. That explains the
> (potential) excess authority described in Appendix B.9, the inability to
> delegate further, and the fact that it's use model is restricted. It
> may also contribute to the complexity of the protocol.
Hmmm. I see you're point. However, I don't think Blaine
was suggesting that an OAuth authorization is intended
to grant ambient user authority. You're right that is
what Basic Authentication does, but while OAuth may
be intended to replace Basic Authentication I believe
the intent is to do so with finer grain authorizations.
Certainly in the OAuth request tokens it is possible
to specify specific resources that are likely a
subset of those available to a user/identity.
Although the spec admits varying interpretations
of how broad authorizations are, I believe it
admits an interpretation where an authorization
is for a single "object" such as a photograph.
My biggest problem with OAuth lies in its
complexity (including the seemingly redundant
authorization step) and in it's lack of a
parameter passing mechanism for permissions
(authorizations).
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list