Open Stack

Hi Steve,

Thanks for your explanation! I have some further questions:

You said that OS-OAUTH doesn't make Keystone a proper OAuth provider, so
what is missing? Can name some of the missing parts?

Another thing, a backlog started by you proposed to unify delegation
features [1]. Its spec uses terms of "trustor" and "trustee". Can I say
that the unified delegation workflow will be more like (or even the same
as) the one in current OS-TRUST?

[1]
https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html

John


Steve Martinelli <s.martinelli at gmail.com> 於 2016年6月28日 週二 下午1:57寫道：

> So, the os-oauth routes you mention in the documentation do not make
> keystone a proper oauth provider. We simply perform delegation (one user
> handing some level of permission on a project to another entity) with the
> standard flow established in the oauth1.0b specification.
>
> Historically we chose oauth1.0 because one of the implementers was very
> much against a flow based on oauth2.0 (though the names are similar, these
> can be treated as two very different beasts, you can read about it here
> [1]). Even amongst popular service providers the choice is split down the
> middle, some providing support for both [2]
>
> We haven't bothered to implement support for oauth2.0 since there has been
> no feedback or desire from operators to do so. Mostly, we don't want
> yet-another-delegation mechanism in keystone, we have trusts and oauth1.0;
> should an enticing use case arise to include another, then we can revisit
> the discussion.
>
> [1] https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
> [2] https://en.wikipedia.org/wiki/List_of_OAuth_providers
>
> On Mon, Jun 27, 2016 at 11:15 PM, 林自均 <johnlinp at gmail.com> wrote:
>
>> Hi all,
>>
>> When I am searching for OAuth provider in Keystone, I found only OAuth
>> 1.0. I am a little bit curious about the decision of 1.0 over 2.0. I failed
>> to see the reason in the documentation
>> <https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html>
>> and this blueprint
>> <https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth>.
>> Is OAuth 2.0 not compatible with design of Keystone?
>>
>> John
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160628/c93f4506/attachment.html>