# OAuth3 - A SPEC we can Auth*x* with All endpoints defined. All data described. All setup process automated. The goal of OAuth3 is to establish a well-defined specification for Authentication and Authorization that gives the identity owner (i.e. the human that uses the Internet) the choice of where to store their identity (i.e. not just Facebook) and also gives the developer the ability to write code once that can work with *any* service that adheres to the spec (i.e. not just a limited pre-programmed list of Facebook, Twitter, and Google). The specification was created with the intent that an entry level developer can copy a few files over to a static file server and copy a few lines of code into a web, mobile, or desktop application and have secure authentication in that application. The ultimate goal of OAuth3 is to re-federate the Internet so that content creators (here's lookin at you "Insta" and "snap" celebs) have the choice of where to store their data and which services to use - whether on "the cloud" (large centralized systems) or on "home cloud" systems. ## Why not OAuth2? OAuth2 started to solve an important problem, but it just didn't get there. ### OAuth2 can't be implemented. OAuth2 isn't a protocol, it's "a framework for a protocol" That sounds like nonsense, but it's important nonsense. A good specification should result in two or more people being able to read the specification, implement it, and without having communicated to each other at all, both of their implementations should be compatible - anyone who writes an application for one should find that it works for the other with 0 changes to the application. This is not the case with OAuth2. * The endpoints are not defined (i.e. /authorization_dialog vs /auth_diag vs /login) * The doesn't define data format (i.e. urlencoded vs XML vs JSON) * It does define internal implementation details (i.e. how the service should handle state) ## Why not OIDC? OpenID Connect is an incremental improvement upon OAuth2. It is a step in the right direction, but it too stops far short of the goals we have set. ### OIDC is built for enterpise, not for end-users OAuth3 was in development simultaneously with OIDC and is being released long after OIDC, as such many of the conventions of OAuth3 have been changed to match those of OIDC where appropriate. However, they are still separate specifications with different goals. Some of the failings of OAuth2 we see left unsolved in OIDC are that it * focuses primarily on service providers, not identity and content owners * cannot be made backwards compatible with OAuth2 * requires manual intervention by a developer to register an application and accept agreements * requires manual intervention by users to accept License and TOS agreements ## Why OAuth3? A protocol to enable machines to help people protect their identity - not just in "the cloud", but also in the home. ### OAuth3 gives humans choice, works in the IoT-enabled home * a single implementation is sufficient for all services and domains * can be used in apps and on devices in the home * all endpoints well-defined * automated registration * automated License and ToS acceptence * more capability on the client means greater security and less server load * *can* store identity on client devices or in "the cloud" * does not *require* an application server (though that sure makes Interneting convenient) * human-friendly * machine-friendly * no developer required # Implementation Details OAuth3 is intended to work in URL-based flows such as `https://`, `app://`, and (ostensibly) `dat://`. ### subject, issuer, authorized party, and audience Just a quick intro to vocabulary that will be explained more thoroughly later on: * **subject** (**sub**)- typically a username or email address that references the real, live person that we care about * **issuer** (**iss**) - the service or device that issues tokens (or manages public keys). In the old-world model this is Facebook, Twitter, etc * **audience** (**aud**) - the service or device that exchanges tokens for goods or services. In the old-world model this is Facebook, Twitter, etc * **authorized party** (**azp**) - the service or device that uses tokens to accomplish the subject's goals. In the old-world model this is a site that has a "Login with Facebook" button ## There are 4 potential Identity Delegation styles The following are just sample UX to show the difference in the styles. Typically, a single UX can encompass all 4 styles. ![](https://media.daplie.com/oauth3/oauth3-flows-800x800.png) ### Type 1: Full Delegation (no discovery) This provides the simplest user experience by hiding all choices from the user and presenting only a single login button. In this scenario a default identity issuer has already been selected (presumably oauth3.org) and the single button is immediately active. The advanced button presents another input box that can be used to enter an address. Why you would want this: If you want to have as little code as possible and you don't care that the user may have to perform an additional step. ### Type 2: Address Flow (email - no discovery) In this flow a default identity issuer has also already been selected and the user provides their email address which will be passed to the issuer as the subject. The advanced button presents another input box that can be used to manually specify an identity issuer (requires discovery). Why you would want this: If you want to collect the user's email address up front without waiting to request permission from the issuer/audience. ### Type 3: [OPTIMAL] Address Flow (oauth3 - discovery) In this flow the identity issuer will be chosen based on the address provided by the user. If the address is discovered to be an oauth3 address it will be used as such. Otherwise the flow will fallback to type 2. **email address**: this is the same as flow type 2 **oauth3 address**: the identity issuer specified will be used, the username is optional Why you would want this: You want your users to enjoy the most choice with the least friction. ### Type 4: Advanced Flow (manual + discovery) There is a chance that someone would like to use an oauth3 subject address (i.e. jane@smithfam.net) with a different identity issuer than the one identified by the subject. In this flow the subject and the identity issuer can be manually selected independently, ignoring any discovery of the subject. Why you would want this: You want to support every possible OAuth3 use case. ## OAuth3 Issuer Discovery Endpoints Any site (**iss**) which supports OAuth3 (oauth3.org, for example) can be discovered automatically and all configuration details can be taken care of without human intervention. To be compatible the site MUST provide a static json file (`directives.json`) containing all of the directives and endpoints required to complete the OAuth3 processes. It must also provide an `index.html` which can be used to pass the contents of `directives.json` via url parameters so that OAuth3 can work on simple static servers that do not have CORS support. ``` https://issuer.tld/.well-known/oauth3/directives.json https://issuer.tld/.well-known/oauth3/ (index.html) ``` The site receiving the url parameters (**azp**) must have its own `directives.json` which must specify `/.well-known/oauth3/callback.html` as the callback frame through which it receives ``` https://azp.tld/.well-known/oauth3/callback.html ```