OpenID Exchange
Praveen Alavilli
AlavilliPraveen at aol.com
Wed Dec 13 16:11:40 UTC 2006
this is exactly what we are trying to come up (at AOL) too. This fits in
well for bridging Open Authentication with Open Web Services.
Although in our version (internal - not published yet) we tried to keep
the EndPoint (SP) & OP separate and use a security token instead of the
transaction handle to bootstrap on - so by the time the Consumer makes
a call to the SP, it already has a Security Token that it can pass on to
the SP and the SP doesn't need to do the Authentication again. We also
talked (internally) about an Interaction Service (liberty specs) 'like'
extension to OpenId that can be optionally be supported by the OP (will
be defined in the yadis doc).
So let's say if an OpenId user tries to access a Consumer site (a mashup
in web 2.0 world) which tries to get his albums from Pictures Service,
the Consumer site can do the authentication with OP and ask for a
security token that it can use to make a web services (SOAP/REST/etc..)
request to the Pictures Services. The Pictures Service can validate the
token, and check for user rights either locally or at OP (if defined in
OP's Yadis doc) and return the data if the user has previously given
consent. If not, Pictures Service can ask the Consumer to redirect the
user in the browser to a Url - which can be either the Picture
Service's own web app or to the OP with parameters required to collect
the user's consent.
There are definitely both pros & cons in doing it with one being that
the user's permissions are stored at this own (trusted) OP rather than
at each SP separately - so the user can go to one place and manage his
permissions.Would like to see what others think about this approach.
We didn't push the spec to the openid gang yet as at the IIW last week,
we heard of new extensions like Assertion Quality Extension, and the
huge interest in SAML-OpenId convergence, which seemed like opening up
other ways to achieve the same.
We would be more than happy to help & support you with formalizing the
spec, usecases, etc..
regards,
=praveen.alavilli
mart at degeneration.co.uk wrote:
> I have made an early draft of a spec called OpenID Exchange on the wiki:
> <http://openid.net/wiki/index.php/OpenID_Exchange_1.0>
>
> The goal of this protocol is to allow user-accompanied HTTP requests.
> "user-accompanied" means that a consumer makes a request to a service on
> behalf of a user and the user reviews and approves the request.
>
> Example applications of this include:
> * Zooomr posting photos into your blog with your one-time approval,
> without disclosing your login credentials. [1]
> * Fetching of user profile information.
> * Social networking friendship handshakes. [2]
>
> The protocol should, in theory, be able to act as a transport for any
> HTTP-based protocol such as SOAP and AtomAPI, as well as for simple GET
> requests. The protocol for "post in my blog" could, for example, just be
> an AtomAPI POST request made over OpenID Exchange.
>
> This is still work-in-progress. The spec needs lots of refinement and at
> some point I'll have to make a demo or two.
>
> [1] You can still see the results of the demo of my earlier version
> of this on LiveJournal, albeit without the pictures:
> <http://openrpcdemo.livejournal.com/>
>
> [2] Discussed further in my blog entry on social networking:
> <http://www.apparently.me.uk/623.html>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
More information about the specs
mailing list