OAuth suitability for client-administered authorization
19 views
Skip to first unread message
DavidA
Mar 17, 2012, 4:11:09 AM3/17/12
to everyauth
hi..
I have a www application which consists of an authentication www
server and a backend server. I would like to authenticate user
credentials submitted to the authentication server using the client's
identity infrastructure. I would also like to use the client's
infrastructure to provide authorization for application-specific
features, under the sole control of an administrator appointed by the
client. On successful authentication, the privileges are returned by
the client's identity infrastructure, in a secure manner, to the
authentication server for storage in the user session. Only the
relevant privileges are returned.
There is a lot of heat around OAuth so I dug into it first. It seems
better suited to the Facebook model, though. The user authenticates
against Facebook, say, then interactively decides whether to grant
privileges requested by the application. Privileges are granted by the
user rather than the client's administrator, and the privileges which
are granted seem to be tied to the app rather than to the user, or a
role/group the user belongs to.
Shibboleth and other SAML systems seem like they might be a better fit
in this case.. does this seem a valid assessment? Everyauth looks like
a good project, but I don't want to bother the forum with questions if
the goals differ. There seems to be a lot of discussion about
reconciling SAML 2 and OAuth, though, so maybe there is a way to
resolve this with everyauth.
thanks!
I have a www application which consists of an authentication www
server and a backend server. I would like to authenticate user
credentials submitted to the authentication server using the client's
identity infrastructure. I would also like to use the client's
infrastructure to provide authorization for application-specific
features, under the sole control of an administrator appointed by the
client. On successful authentication, the privileges are returned by
the client's identity infrastructure, in a secure manner, to the
authentication server for storage in the user session. Only the
relevant privileges are returned.
There is a lot of heat around OAuth so I dug into it first. It seems
better suited to the Facebook model, though. The user authenticates
against Facebook, say, then interactively decides whether to grant
privileges requested by the application. Privileges are granted by the
user rather than the client's administrator, and the privileges which
are granted seem to be tied to the app rather than to the user, or a
role/group the user belongs to.
Shibboleth and other SAML systems seem like they might be a better fit
in this case.. does this seem a valid assessment? Everyauth looks like
a good project, but I don't want to bother the forum with questions if
the goals differ. There seems to be a lot of discussion about
reconciling SAML 2 and OAuth, though, so maybe there is a way to
resolve this with everyauth.
thanks!
Reply all
Reply to author
Forward
0 new messages