Loading Profile...
How does OAuth compare with Kerberos?
How does OAuth compare with ticket granting services like Kerberos?
I understand that OAuth is like the ticket granting service (TGS) in Kerberos.
What about the other parts? Can OAuth be organized into domains?
Can TGS be delegated, in addition to primary services?
Are the threat models the same? Are the protection models the same?
If the comparison hasn't been made, does anyone think it is worthwhile to study this?
-chris
I understand that OAuth is like the ticket granting service (TGS) in Kerberos.
What about the other parts? Can OAuth be organized into domains?
Can TGS be delegated, in addition to primary services?
Are the threat models the same? Are the protection models the same?
If the comparison hasn't been made, does anyone think it is worthwhile to study this?
-chris
I’m happy
6
people have this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
-
Inappropriate?OAuth can be organised by realm. OAuth Core doesn't specify the semantics for a realm, but OAuth Discovery does. OAuth Discovery also describes how to delegate ticket granting. Most delegated ticket granting assumes a shared backend between the SP/TGS and the SP/SS, unlike Kerberos. Someone may have whipped up a nifty access token scheme that would let you use a prearranged secret instead, ala Kerberos, but I've not seen it.
The threat and protection models are totally different. And I think it would be very important to study this more formally.
I’m vetted
1 person says
this answers the question
