[Openstack] [Keystone] Why not OAuth 2.0 provider?
Adam Young
ayoung at redhat.com
Wed Jun 29 02:03:17 UTC 2016
On 06/28/2016 03:18 AM, 林自均 wrote:
> Hi Steve,
>
> Thanks for your explanation! I have some further questions:
>
> You said that OS-OAUTH doesn't make Keystone a proper OAuth provider,
> so what is missing? Can name some of the missing parts?
>
> Another thing, a backlog started by you proposed to unify delegation
> features [1]. Its spec uses terms of "trustor" and "trustee". Can I
> say that the unified delegation workflow will be more like (or even
> the same as) the one in current OS-TRUST?
>
Yes. The idea is that Oauth is a more standard protocol, but leaves out
some of the details. Trusts fills in the details of how to specify the
delegation. They fit together nicely.
> [1]
> https://specs.openstack.org/openstack/keystone-specs/specs/backlog/unified-delegation.html
>
> John
>
>
> Steve Martinelli <s.martinelli at gmail.com
> <mailto:s.martinelli at gmail.com>> 於 2016年6月28日 週二 下午1:57寫道:
>
> So, the os-oauth routes you mention in the documentation do not
> make keystone a proper oauth provider. We simply perform
> delegation (one user handing some level of permission on a project
> to another entity) with the standard flow established in the
> oauth1.0b specification.
>
> Historically we chose oauth1.0 because one of the implementers was
> very much against a flow based on oauth2.0 (though the names are
> similar, these can be treated as two very different beasts, you
> can read about it here [1]). Even amongst popular service
> providers the choice is split down the middle, some providing
> support for both [2]
>
> We haven't bothered to implement support for oauth2.0 since there
> has been no feedback or desire from operators to do so. Mostly, we
> don't want yet-another-delegation mechanism in keystone, we have
> trusts and oauth1.0; should an enticing use case arise to include
> another, then we can revisit the discussion.
>
> [1] https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
> [2] https://en.wikipedia.org/wiki/List_of_OAuth_providers
>
> On Mon, Jun 27, 2016 at 11:15 PM, 林自均 <johnlinp at gmail.com
> <mailto:johnlinp at gmail.com>> wrote:
>
> Hi all,
>
> When I am searching for OAuth provider in Keystone, I found
> only OAuth 1.0. I am a little bit curious about the decision
> of 1.0 over 2.0. I failed to see the reason in the
> documentation
> <https://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-oauth1-ext.html>
> and this blueprint
> <https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth>.
> Is OAuth 2.0 not compatible with design of Keystone?
>
> John
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160628/ea7a437c/attachment.html>
More information about the Openstack
mailing list