OAuth As Sole Authorization Scheme
Issue #6
resolved
Two types of RISC relationships involve parties that do not necessarily support OAuth: * OIDC Clients that accept ID Tokens but do not issue them. * Implicit federation partners using email or telephone number identifiers
Such receivers means that receivers cannot issue authorization tokens for receiving streams (i.e. through HTTP PUSH) except tokens that are manually generated. This raises security and administrative cost concerns.
Long-tail sites tend not to use Oauth for non-user agent based communications. However, mutual TLS is very popular for server to server backchannel comms.
Impact: Is an authorization standard really needed to achieve interop?
Comments (2)
-
-
- changed status to resolved
- Log in to comment
The language was changed and OAuth 2.0 is only suggested as an example.