.Nat Zone

Digital Identity et al.

Re: Limitations of the OAuth 2.0 definition of “Client”

   

Thomas Hardjono has a very good blog entry <<Limitations of the OAuth 2.0 definition of “Client”>>.

The essence of the entry is that, the definition of “client” in OAuth 2.0 (RFC6749) is too limiting and does not fit with many current use of the specification.

Here is the definition:

client
An application making protected resource requests on behalf of the resource owner and with its authorization.

This excludes many useful cases. The client simply may not be acting on behalf of the resource owner, even though it may be doing something good for the resource owner.

The UMA (draft-06) definition of the “client” is much better:

client
An application making protected resource requests with the resource owner’s authorization and on the requesting party’s behalf.

Note that the “requesting party” is a defined term:

requesting party
An end-user, or a corporation or other legal person, that uses a client to seek access to a protected resource. The requesting party may or may not be the same party as the resource owner.

and also that “resource owner” is a defined term, and does not have to “own” the resource:

resource owner
An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end- user.

 

UMA (draft-06) definition of the “client” is much better than RFC6749. It is something that needs to be considered for an early revision or errata, IMHO.

 

 

 - OAuth