[OpenID] OAuth vs. AX

John Bradley john.bradley at wingaa.com
Sat Apr 4 03:36:28 UTC 2009


I think Google and Plaxo have a prototype openID + oAuth flow that  
they are using.

You are correct I have never seen AX push in the wild.   We skipped  
over the OSIS tests for that because I thought it was too obscure at  
the moment.

I think that the openID + oAuth flow is one that we are going to see  
more of.  I would rather spend time developing an interop around that,  
than AX push.
Sorry AX authors.

On the other hand if Google thinks the UI for optional AX attributes  
is too complicated, I cant wait to see the oAuth interface so a user  
can go in and see all there connections for different services and RPs  
and de-provision them if they want to.

FYI I am also mulling around some oAuth + infocard ideas.   We also  
have a infocard as OP free openID (Yes UCI fans no OP) demo to build  
one day:)

John Bradley

On 3-Apr-09, at 8:17 PM, Andrew Arnott wrote:

> AX has this push mechanism that allows OPs to notify RPs when  
> attribute values have changed.  I've never heard of this being  
> used.  RPs probably do want to know when their user's data has  
> changed, but AX push is too scary, too poorly supported, or something.
> But what if we took a different approach.  What if instead of AX, we  
> used OAuth.  Follow me on this.
> Send an OAuth request for permissions to a user's email address,  
> rather than an AX request for the email address itself.  Then the RP  
> can request the user's email address whenever it wants it, whether  
> or not the user is currently authenticating.
> What does this buy you?  Ok, not a lot.  But it's an interesting use  
> case for OAuth that I think we should consider.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire

More information about the general mailing list