[OpenID board] Why Connect?

Nat Sakimura sakimura at gmail.com
Wed May 26 14:28:36 UTC 2010


Hi Luke,

Inline:

On Wed, May 26, 2010 at 11:17 PM, Luke Shepard <lshepard at facebook.com> wrote:
>
> On May 25, 2010, at 7:45 PM, Nat Sakimura wrote:
>
>> Hi Allen,
>>
>> Thanks for your response.
>>
>> That is right, and as I have indicated in the OAuth list,
>> I was wishing the artifact flow to be included in the
>> OAuth 2.0 as well, as it improves the mobile support as well
>> as the security.
>>
>> For those of you who are not closely following as Allen,
>> the difference is that in Artifact Binding, instead of sending
>> all the parameters in the browser redirect, it only sends a URL
>> from which the OAuth Authorization server can obtain
>> all the parameters, including OpenID extension parameters.
>>
>> (David and Dick, can you just push this through? Or is there
>> something that I have to do?)
>>
>
> The great thing about OAuth 2.0 is that it allows for different Flows to obtain an access token. Why don't you write a flow in the OAuth 2.0 style for Artifact Binding?

Actually, I did. See:
http://www.sakimura.org/en/modules/wordpress/oauth-20-mobile-webapp-flow/

>
>> Otherwise, it is almost the same: Another design decision I had to
>> do was whether I should put all the assertion into the OAuth access token,
>> or I should return the OpenID parameters along with OAuth access token.
>> "Connect" opted for the former, while "AB" opted for the later.
>
> What do you mean by this? OpenID Connect returns attribute parameters (like name, pic, etc) as extra parameters, not encapsulated within the opaque access token.

Oops, I was reading it wrong. It is "along with access token" and not
"within access token".
I somehow had an impression of the later (from the time I got pinged
by David before
Connect page went up.)

So, AB and Connect is the same in this respect, resulting in 95% or so
overlap rather than 90% ;-)

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en


More information about the board mailing list