CISSP · Question #136
Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?
The correct answer is A. Resource Servers are required to use passwords to authenticate end users.. OAuth 2.0 addresses many federation and delegation problems, but it does not eliminate the need for Resource Servers to authenticate end users - it delegates authorization, not authentication. Understanding what OAuth 2.0 solves versus what it does not is key here.
Question
Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?
Options
- AResource Servers are required to use passwords to authenticate end users.
- BRevocation of access of some users of the third party instead of all the users from the third party.
- CCompromise of the third party means compromise of all the users in the service.
- DGuest users need to authenticate with the third party identity provider.
How the community answered
(38 responses)- A50% (19)
- B29% (11)
- C8% (3)
- D13% (5)
Why each option
OAuth 2.0 addresses many federation and delegation problems, but it does not eliminate the need for Resource Servers to authenticate end users - it delegates authorization, not authentication. Understanding what OAuth 2.0 solves versus what it does not is key here.
OAuth 2.0 is an authorization framework, not an authentication protocol; it does not address how Resource Servers authenticate end users directly. Authentication is handled by protocols like OpenID Connect (OIDC) built on top of OAuth 2.0, meaning OAuth alone does not solve the problem of Resource Servers needing passwords or credentials to authenticate end users - that problem remains unless a separate identity layer is added.
OAuth 2.0 does address granular access revocation by allowing individual access tokens or refresh tokens to be revoked per user or per scope, rather than revoking all users from a third party at once.
OAuth 2.0 mitigates the blast radius of a third-party compromise because tokens are scoped and time-limited, reducing but not necessarily eliminating the risk that a third-party breach compromises all service users.
OAuth 2.0 enables guest users to authenticate via a third-party identity provider through its authorization flows (e.g., authorization code flow), allowing federated access without requiring accounts native to the resource server.
Concept tested: OAuth 2.0 limitations versus authorization delegation capabilities
Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Topics
Community Discussion
No community discussion yet for this question.