<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/28/2016 03:18 AM, 林自均 wrote:<br>
</div>
<blockquote
cite="mid:CAKO26Mtjg1AWKWL1=yHTuRj=ATKqNVy3CfNkwFXAFwZxXvMkig@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi Steve,</div>
<div><br>
</div>
<div>Thanks for your explanation! I have some further questions:</div>
<div><br>
</div>
<div>You said that OS-OAUTH doesn't make Keystone a proper OAuth
provider, so what is missing? Can name some of the missing
parts?</div>
<div dir="ltr">
<div><br>
</div>
<div>Another thing, a backlog started by you proposed to unify
delegation features [1]. Its spec uses terms of "trustor"
and "trustee". Can I say that the unified delegation
workflow will be more like (or even the same as) the one in
current OS-TRUST?</div>
<div><br>
</div>
</div>
</div>
</blockquote>
Yes. The idea is that Oauth is a more standard protocol, but leaves
out some of the details. Trusts fills in the details of how to
specify the delegation. They fit together nicely.<br>
<br>
<br>
<blockquote
cite="mid:CAKO26Mtjg1AWKWL1=yHTuRj=ATKqNVy3CfNkwFXAFwZxXvMkig@mail.gmail.com"
type="cite">
<div dir="ltr">
<div dir="ltr">
<div><span style="line-height:1.5">[1] <a
moz-do-not-send="true"
href="https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html"
target="_blank"><a class="moz-txt-link-freetext" href="https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html">https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html</a></a></span><br>
</div>
<div><br>
</div>
<div>John</div>
<div><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">Steve Martinelli <<a
moz-do-not-send="true"
href="mailto:s.martinelli@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:s.martinelli@gmail.com">s.martinelli@gmail.com</a></a>>
於 2016年6月28日 週二 下午1:57寫道:<br>
</div>
</div>
</div>
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr" style="font-size:12.8px">So, the os-oauth
routes you mention in the documentation do not make
keystone a proper oauth provider. We simply perform
delegation (one user handing some level of permission
on a project to another entity) with the standard flow
established in the oauth1.0b specification.
<div><br>
</div>
<div>Historically we chose oauth1.0 because one of the
implementers was very much against a flow based on
oauth2.0 (though the names are similar, these can be
treated as two very different beasts, you can read
about it here [1]). Even amongst popular service
providers the choice is split down the middle, some
providing support for both [2]</div>
<div><br>
</div>
<div>We haven't bothered to implement support for
oauth2.0 since there has been no feedback or desire
from operators to do so. Mostly, we don't want
yet-another-delegation mechanism in keystone, we
have trusts and oauth1.0; should an enticing use
case arise to include another, then we can revisit
the discussion. </div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/"
target="_blank">https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/</a> </div>
<div>[2] <a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/List_of_OAuth_providers"
target="_blank">https://en.wikipedia.org/wiki/List_of_OAuth_providers</a></div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">On Mon, Jun 27, 2016 at 11:15
PM, 林自均 <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:johnlinp@gmail.com" target="_blank">johnlinp@gmail.com</a>></span>
wrote:<br>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi all,
<div><br>
</div>
<div>When I am searching for OAuth provider in
Keystone, I found only OAuth 1.0. I am a little
bit curious about the decision of 1.0 over 2.0.
I failed to see the reason in the <a
moz-do-not-send="true"
href="https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html"
target="_blank">documentation</a> and <a
moz-do-not-send="true"
href="https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth"
target="_blank">this blueprint</a>. Is OAuth
2.0 not compatible with design of Keystone?</div>
<div><br>
</div>
<div>John</div>
</div>
<br>
</blockquote>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org"
target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>