[Openstack] [Keystone] Why not OAuth 2.0 provider?

Steve Martinelli s.martinelli at gmail.com
Tue Jun 28 05:57:17 UTC 2016


So, the os-oauth routes you mention in the documentation do not make
keystone a proper oauth provider. We simply perform delegation (one user
handing some level of permission on a project to another entity) with the
standard flow established in the oauth1.0b specification.

Historically we chose oauth1.0 because one of the implementers was very
much against a flow based on oauth2.0 (though the names are similar, these
can be treated as two very different beasts, you can read about it here
[1]). Even amongst popular service providers the choice is split down the
middle, some providing support for both [2]

We haven't bothered to implement support for oauth2.0 since there has been
no feedback or desire from operators to do so. Mostly, we don't want
yet-another-delegation mechanism in keystone, we have trusts and oauth1.0;
should an enticing use case arise to include another, then we can revisit
the discussion.

[1] https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
[2] https://en.wikipedia.org/wiki/List_of_OAuth_providers


On Mon, Jun 27, 2016 at 11:15 PM, 林自均 <johnlinp at gmail.com> wrote:

> Hi all,
>
> When I am searching for OAuth provider in Keystone, I found only OAuth
> 1.0. I am a little bit curious about the decision of 1.0 over 2.0. I failed
> to see the reason in the documentation
> <https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html>
> and this blueprint
> <https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth>.
> Is OAuth 2.0 not compatible with design of Keystone?
>
> John
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160628/1209e7a1/attachment.html>


More information about the Openstack mailing list