[OpenID] OAuth SPs don't have to be your OpenID OP

santrajan santrajan at gmail.com
Sat Apr 4 14:57:05 UTC 2009


Yes but the consumer registration is still required right? I mean it wouldn't
work without the OAuth key?

Regarding centralized discovery I was thinking of a centralized repository
for identities that will allow discovery and manage trust.


Chris Messina wrote:
> 
> Nothing about OAuth prevents an ad-hoc approach to consumer registration
> and
> so it could be used in a more decentralized way — it's just unlikely given
> the control that SPs (service providers) desire.
> I'm confused by what you mean by "centralized discovery".
> 
> In the model I've espoused, an individual asserts her identity provider to
> a
> relying party or consumer; the RP or consumer inspects the provided
> identity
> and through discovery, detects where certain types of services or an
> authentication provider are located. Depending on the present task,
> authentication, authorization or both will then occur.
> 
> Identity, discovery, authentication, and authorization can be served by
> one
> or more substitutable providers. Relationships between each of these and
> consumers or relying parties are handled on a per-instance and revokable
> basis.
> 
> At least that's the working model in my head.
> 
> On Sat, Apr 4, 2009 at 9:43 AM, santrajan <santrajan at gmail.com> wrote:
> 
>>
>> But OAuth is not decentralised like OpenId. We need centralized discovery
>> and
>> decentralized authentication. The centralised discovery will take care of
>> the trust part.
>>
>>
>> Chris Messina wrote:
>> >
>> > From a purely technological perspective, OpenID doesn't work in
>> > desktoclients or for APIs.
>> >
>> > This is one of the primary reasons OAuth came about: Magnolia and
>> > Twitter couldn't fully adopt OpenID without something for
>> > non-browser-based environments.
>> >
>> > OpenID & OAuth are complements, not competitors. Making them work
>> > together more seamlessly where possible is driven by interface
>> > convenience, not technological superiority.
>> >
>> > Chris
>> >
>> > On 4/3/09, santrajan <santrajan at gmail.com> wrote:
>> >>
>> >> Why should OpenID support OAuth at all? OpenID can stand on its own.
>> All
>> >> OpenID needs to do is address the concerns of RP's and users.
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/OAuth-SPs-don%27t-have-to-be-your-OpenID-OP-tp22879703p22883548.html
>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
> 
> 
> 
> -- 
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate
> 
> factoryjoe.com // diso-project.org // vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 

-- 
View this message in context: http://www.nabble.com/OAuth-SPs-don%27t-have-to-be-your-OpenID-OP-tp22879703p22884266.html
Sent from the OpenID - General mailing list archive at Nabble.com.




More information about the general mailing list