Friday, April 8, 2011

OAuth: Does it authenticate? Well...Yes and No. And that's a good thing!

I'm not kidding. OAuth itself doesn't seemed to be defined. It's not an acronym just a name. In fact the specification draft simply says:
The OAuth 2.0 Authorization Protocol
"OAuth" itself isn't spelled out in most places. Wikipedia says its "Open Authorization". But who knows. I can't tell you how many times this question comes up. But if you ask me, it doesn't matter and that is a good thing. Let's dive into the question of authentication...

Does OAuth authenticate users?
No. The answer here is clearly no. Not only does OAuth not authenticate users, but it doesn't have anything to say about user authentication. But hang on, see the next question...

Does OAuth accomplish user authentication?
Yes. The answer here is yes, but the method is indirect. If you read my post on OAuth flows, you will know that OAuth has an "authorization" step that requires users to authorize clients to act on their behalf. For OAuth, authentication then is a logical conclusion of authorization.
In order to authorize a client to act on behalf of a user, the user must be known.
For a user to be known, the user must be authenticated.
Therefore, if a user has authorized a client, they must have authenticated.
This logic flow is at the heart of OAuth's power. Because authentication of participants is a necessary requirement of authorization, OAuth doesn't have to say how authentication is accomplished. Because of this, OAuth can be integrated with all sorts of authentication systems and protocols such as: LDAP, OpenID, SAML, WS-Trust, WebSSO, etc - placing OAuth at the crossroads of identity.

Ok, so does OAuth authorize?
Now you're jumping ahead. That's the subject for the next blog post. Stay tuned.

4 comments:

Keith Tobin said...

Hi,
If I have a web site that is authenticating users
again a separate identity management system. Both IMS and web site belong to the same owner.

Is it better to use SAML or OAuth

My impression is to use SAML as we are dealing with authenticating users.

If we were to use OAuth, what we would be doing is authenticating the user to say thet the IMS give the web site access to something like a service or resource.

Am I correct in my thinking.

Phil Hunt said...

Sorry for not getting back to you sooner.

In general I would say use SAML for authentication. Remember that OAuth issues tokens for clients to use as authentication to the Resource server only. Using OAuth to authenticate users to a client app is not correct. See John Bradley's posts here:
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
http://www.thread-safe.com/2012/01/solutions-for-using-oauth-20-for.html

Oleg Cohen said...

SAML is a good choice for web applications. OAuth is very popular for mobile applications. The two can be combined by allowing a mobile application to get an OAuth token via a SAML login to allow mobile users to authenticate to corporate directories without the need to store credentials on the mobile device.

Avi said...

I am using OAuth to authenticate Dropbox users where it redirects user to dropbox login page.
But, the problem is when I upload my application on web and runs it, it doesn't redirects and gives 401 error, whereas, it works fine when run locally.

Post a Comment