Paul, <div><br></div><div>For a simple "Authentication" only case for a Web server (RP, client), then you really do not need most of them. </div><div><br></div><div>I wrote a blog post for such a case. </div><div>
It should not take more than 10 minutes to write a basic RP authentication. </div><div><br></div><div><a href="http://nat.sakimura.org/2012/03/31/openid-connect-stripped-down-to-just-authentication/">http://nat.sakimura.org/2012/03/31/openid-connect-stripped-down-to-just-authentication/</a> </div>
<div><br></div><div>Cheers, </div><div><br></div><div>Nat<br><br><div class="gmail_quote">On Sat, Mar 31, 2012 at 5:34 AM, Paul E. Jones <span dir="ltr"><<a href="mailto:paulej@packetizer.com">paulej@packetizer.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="color:#1f497d">Mike,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">I appreciate the pointer. As one who has written tons of specs, the language of a spec does not bother me, though I nonetheless appreciate any document that explains things in narrative form, of course.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Even after reading that document, though, I feel no less easy about OpenID Connect. It’s not that there is a <i>specific</i> change I can propose, though.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">I would start go to the core of the spec and start there. Why build it on top of OAuth? I like OAuth and it has a useful purpose. It was intended to allow Party A to get access to resources at Party B, with the user being in a position to grant such access. OpenID has a different purpose. When I log into a web site using OpenID, the visited web site only wants to verify that I am who I claim to be. The scope of OpenID is narrow and simple. As I said, there were some pain points that we could address, but fundamentally, it’s simple.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">OpenID Connect goes far beyond the original purpose of OpenID. Perhaps a reason for using OAuth is to grant access to get additional information related to the user (e.g., name, picture, address, etc.)? However, that is mixing different problems. My ability to log into a web site and that web site being able to access information about me that I store elsewhere are different problems that should not be merged into one. (That said, I have no objection to allowing certain information to be conveyed as a part of any OpenID exchange, much as there is in OpenID 2.0. The user can control and limit that information, but even then we should be careful to not go too far in mixing discovery of information about a user with the function of authenticating a user so they can log into a site.)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Next, is the size of the set of specs. In addition to the pile of specs you have listed below, there are also other specs that <i>appear</i> to be required, including JWT, JWS, JWE, JWA, JWK, and SWD. All of that is an impressive body of work, but it is also a hell of a lot of stuff to build in order to implement something that should be a simple login mechanism. How long would it take to read all of this stuff and implement it? By comparison, I implemented an OpenID 2.0 OP server in less than a day, adding 1.1 support too. I picked up the OpenID 2.0 spec, read it, and implemented what it said.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">So, I’m left with no specific recommended changes. I just think the work has gone in the wrong direction. It appears overly complex for the problem at hand, with a scope that stretches far beyond what OpenID intended to do. I’m very supportive of OpenID and would be thrilled to see OpenID as a single login mechanism across the web, but I really think we have to have something simpler. The push back on OpenID 2.0 was over complexity, largely for the RP code. Why not just work to make it simpler? Of course, I might be wrong in thinking this is going to turn a lot of people off, but I don’t think so. I don’t want to go implement all of this stuff. :-/<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Paul<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Mike Jones [mailto:<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>] <br>
<b>Sent:</b> Friday, March 30, 2012 1:27 PM<br><b>To:</b> Paul E. Jones; <a href="mailto:specs@openid.net" target="_blank">specs@openid.net</a></span></p><div><div class="h5"><br><b>Cc:</b> <a href="mailto:board@openid.net" target="_blank">board@openid.net</a>; <a href="mailto:gsalguei@cisco.com" target="_blank">gsalguei@cisco.com</a><br>
<b>Subject:</b> RE: Implementer's Drafts posted with -ID1 version designations<u></u><u></u></div></div><p></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="color:#1f497d">The specs are written in normative spec language, but they still describe a process that’s very simple at it’s core. Have a look at <a href="http://nat.sakimura.org/2012/01/20/openid-connect-nutshell/" target="_blank">http://nat.sakimura.org/2012/01/20/openid-connect-nutshell/</a>, which is written as a primer, rather than in spec language. After that, I think you’ll agree that what’s there is actually quite simple to use.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">If you still disagree, then we’d be interested in hearing what specific changes you’d suggest that we make.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> -- Mike<u></u><u></u></span></p><p class="MsoNormal">
<span style="color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Paul E. Jones <a href="mailto:[mailto:paulej@packetizer.com]" target="_blank">[mailto:paulej@packetizer.com]</a> <br>
<b>Sent:</b> Friday, March 30, 2012 10:17 AM<br><b>To:</b> Mike Jones; <a href="mailto:specs@openid.net" target="_blank">specs@openid.net</a><br><b>Cc:</b> <a href="mailto:board@openid.net" target="_blank">board@openid.net</a>; <a href="mailto:gsalguei@cisco.com" target="_blank">gsalguei@cisco.com</a><br>
<b>Subject:</b> RE: Implementer's Drafts posted with -ID1 version designations<u></u><u></u></span></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="color:#1f497d">Gee, guys… I think something has gone terribly wrong here. I was really excited about OpenID, believing it was a very important technology. Further, OpenID was fairly simple. One part was complex: the client code for the RP had to deal with querying the user’s ID, looking for a Yadis file, and possibly digging through an HTML document – all in an effort to find the URI for the user’s OP. The OP code, on the other hand, is fairly trivial.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">OpenID 2.0 could have been simplified easily be removing the requirement for processing a Yadis file and HTML document and replacing that with a simple Link header in HTTP. One could also use RFC 6415 (Host-Meta) to make it simple to advertise one’s OpenID ID (a “challenge” for the average person to use) and even the OP URI (though perhaps not so beneficial).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">I wanted to get engaged in the work, but getting Cisco to sign agreements, especially when this was not my core job function, was a bit of a challenge. So, the work proceeded without me. It’s unfortunate, because my initial reaction to what I’ve seen is ... what happened?!?!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">OpenID Connect was supposed to be simple. That was one of the claim made when it was introduced. Looking at these drafts, I’d argue that “simple” has been thrown out the window, in spite of the claim “simple” in the abstract of these documents. Perhaps it’s just a false first impression, but these documents certainly appear to introduce a lot of procedure and make reference to number of required specifications that are not listed in the list below.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Do you really want to go down this path? I would still be open to a simplification of OpenID 2.0 to remove the pain points.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Paul<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a> <a href="mailto:[mailto:openid-specs-bounces@lists.openid.net]" target="_blank">[mailto:openid-specs-bounces@lists.openid.net]</a> <b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Monday, February 27, 2012 8:36 PM<br><b>To:</b> <a href="mailto:specs@openid.net" target="_blank">specs@openid.net</a><br><b>Cc:</b> <a href="mailto:board@openid.net" target="_blank">board@openid.net</a><br><b>Subject:</b> Implementer’s Drafts posted with -ID1 version designations<u></u><u></u></span></p>
</div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The approved Implementer’s Drafts are now also posted at these locations:<u></u><u></u></p><p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><a href="http://openid.net/specs/openid-connect-basic-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-connect-basic-1_0-ID1.html</a><u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><a href="http://openid.net/specs/openid-connect-discovery-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-connect-discovery-1_0-ID1.html</a><u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><a href="http://openid.net/specs/openid-connect-registration-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-connect-registration-1_0-ID1.html</a><u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><a href="http://openid.net/specs/openid-connect-messages-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-connect-messages-1_0-ID1.html</a><u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><a href="http://openid.net/specs/openid-connect-standard-1_0-ID1.html" target="_blank">http://openid.net/specs/openid-connect-standard-1_0-ID1.html</a><u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><a href="http://openid.net/specs/oauth-v2-multiple-response-types-1_0-ID1.html" target="_blank">http://openid.net/specs/oauth-v2-multiple-response-types-1_0-ID1.html</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The original versions with numeric version designations remain in place.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div></div><br>_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>
</div>