OAuth As Sole Authorization Scheme

Two types of RISC relationships involve parties that do not necessarily support OAuth: * OIDC Clients that accept ID Tokens but do not issue them. * Implicit federation partners using email or telephone number identifiers

Such receivers means that receivers cannot issue authorization tokens for receiving streams (i.e. through HTTP PUSH) except tokens that are manually generated. This raises security and administrative cost concerns.

Long-tail sites tend not to use Oauth for non-user agent based communications. However, mutual TLS is very popular for server to server backchannel comms.

Impact: Is an authorization standard really needed to achieve interop?

Comments (2)