[OpenID] OAuth vs. AX
john.bradley at wingaa.com
Sat Apr 4 03:36:28 UTC 2009
I think Google and Plaxo have a prototype openID + oAuth flow that
they are using.
You are correct I have never seen AX push in the wild. We skipped
over the OSIS tests for that because I thought it was too obscure at
I think that the openID + oAuth flow is one that we are going to see
more of. I would rather spend time developing an interop around that,
than AX push.
Sorry AX authors.
On the other hand if Google thinks the UI for optional AX attributes
is too complicated, I cant wait to see the oAuth interface so a user
can go in and see all there connections for different services and RPs
and de-provision them if they want to.
FYI I am also mulling around some oAuth + infocard ideas. We also
have a infocard as OP free openID (Yes UCI fans no OP) demo to build
On 3-Apr-09, at 8:17 PM, Andrew Arnott wrote:
> AX has this push mechanism that allows OPs to notify RPs when
> attribute values have changed. I've never heard of this being
> used. RPs probably do want to know when their user's data has
> changed, but AX push is too scary, too poorly supported, or something.
> But what if we took a different approach. What if instead of AX, we
> used OAuth. Follow me on this.
> Send an OAuth request for permissions to a user's email address,
> rather than an AX request for the email address itself. Then the RP
> can request the user's email address whenever it wants it, whether
> or not the user is currently authenticating.
> What does this buy you? Ok, not a lot. But it's an interesting use
> case for OAuth that I think we should consider.
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - Voltaire
More information about the general