RFC051: Revert to standard OAuth authentication flows
Background and rationale
In iSHARE, for clear functional reasons, it was decided that authentication should be possible without preregistration at the service provider, since preregistration is done at the scheme owner (later satellite). As a result, every iSHARE authentication flow must support that during the authentication process, identification is done on the basis of certificates, without preregistration. Unfortunately, this is not feasible/scalable, since sending proof of certificates (in the form of client_assertions) is not supported in standard Oauth. In normal OAuth, a preregistration is required, on the basis of which you can retrieve a token with some form of credentials. Therefore, currently, a service provider that wants to support an iSHARE flow must design and implement its own authentication process and cannot use standard open-source OAuth packages. This poses big thresholds for implementing iSHARE and big security risks when implementing iSHARE (as everyone has to reinvent the wheel).
Proposed change: purpose
I don't think it is reasonable to expect that the iSHARE adaptation of OAuth will become mainstream, or large enough to support its own open source community. Therefore, iSHARE should think about a RFC to redesign the authentication flow based on:
- keeping it close to iSHARE standards
- restricted to OAuth standards
Proposed change: considerations and requirements
Describe all relevant considerations and requirements that should be taken into account when performing the impact analysis on the RFC.
Impact analysis
Prepared impact analysis is available here: https://gitlab.com/ishare-foundation/cab/rfc/-/blob/main/RFC%20Documents/RFC051/README.md