Vittorio,
I feel you are conflating OIDC with OAuth2. In delegation
workflows, the AS/RS can be any company and the clients are
approved registered clients. I use OAuth2 for many of my own
consumer needs and there is an even distribution of use among many
services. OAuth2 protects me. I no longer have to hand out my
twitter credentials just because my conference website wants
limited access to my twitter account. I can now give my conference
website limited delagated access to my twitter account and cancel
that relationship any time. For years I was forced to give up my
banking credentials to services like Mint and that is no longer
the case due to the OAuth2 financial extension (FAPI).
While OIDC is certainly centralizing identity to a few providers, a real problem, OAuth2 when used for delegation purposes does not have that same inherent risk.
Respectfully,
- Jim Manico
Il 01/03/2021 15:13 Jim Manico <jim@xxxxxxxxxxxx> ha scritto:
How does OAuth harm privacy?
I think you are analyzing the matter at a different level.
If you start from a situation in which everyone is managing their own online identity and credentials, and end up in a situation in which a set of very few big companies (essentially Google, Apple and Facebook) are supplying and managing everyone's online credentials and logins, then [the deployment of] OAuth[-based public identity systems] is harming privacy.
Centralization is an inherent privacy risk. If you securely and privately deliver your personal information to parties that can monetize, track and aggregate it at scale, then you are losing privacy.
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@xxxxxxxxxxxxxxxx Office @ Via Treviso 12, 10144 Torino, Italy
-- Jim Manico Manicode Security https://www.manicode.com
