OAuth + OpenID
NISHITANI Masaki
m-nishitani at nri.co.jp
Wed Dec 12 03:33:09 UTC 2007
I enumerated all possible cases to use OAuth and OpenID
together to organize my thought a bit more.
And correct the charts for one misunderstanding.
In cahrt 3, there should be another user-interaction phase
for SP, which behaves as a relying party in OpenID context,
to obtain user identifier.
I will be grad with any comment to this.
Possible cases to use OAuth and OpenID together.
================================================
1. Consumer, SP and OP all differ (4-entity case)
1.1 Both of Consumer and SP does not use OpenID at all.
- This is just a simple OAuth usecase (chart 1).
1.2 Consumer requires OpenID authentication, SP does not.
- Same as simple OAuth except place OpenID transactions
before initiating OAuth (above all chart 1 sequence).
1.3 SP requires OpenID authentication, Consumer does not.
- Chart 3.
1.4 Both requires OpenID authentication.
- Almost same as chart 3. Just place another OpenID
sequences above all of lines.
2. Consumer and SP are same.
Does not need to use OAuth.
3. SP and OP are same.
3.1 Consumer does not use OpenID.
- Simple OAuth.
3.2 Consumer does use OpenID.
- Sequences are just same in chart 3, or possibly
optimize like chart 4.
4. Consumer and OP are same.
4.1 SP does not use OpenID
- Sinple OAuth.
4.2 SP uses OpenID
- This is a bit strange case. It is possible to use
OpenID authentication for SP, but it is meaningless.
OAuth aims to data exchange without desclosing user
credentials and in this case, consumer already knows
user credential because it is a OpenID provider
itself.
5. All same.
Surprisingly, does not need OpenID nor OAuth.
Let me call this ``plain old web service'' ;-P
> Hi all.
>
> According to the theme, OAuth and OpenID, talked in the IIW
> 2007b, I have made up a brief diagrams for a sort of
> self-brainstorming.
>
> It is a shame for me not have been able to join in that
> session in IIW, though regarding the wiki page placed at
> http://iiw.idcommons.net/index.php/OAuth_and_OpenID ,
> it went over mainly about a case of SP (it's an OAuth term)
> and OP (OpenID term) are same one.
>
> Now the diagrams consists of -
>
> Page 1; Ordinary OAuth sequence chart.
> Page 2; Same for OpenID.
> Page 3; Using OAuth and OpenID together,
> Consumer does not need authorization but access to
> user's data stored in SP, and SP uses OpenID for its
> authorization method.
> Page 4; Superimposing OAuth and OpenID,
> SP and OP are same one and consumer requires user's
> data stored in OP/SP and uses OpenID as well.
>
> This is a starting point for me and now I am looking for any
> other use case and trying to make myself clear.
>
> Probably there is some chances to make the protocols
> simpler. One case is to skip association phase using the
> Consumer secret or RSA key of the consumer to verify
> consumer/RP.
>
> I will be grad if I have comments.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenID_OAuth_Chart.pdf
Type: application/pdf
Size: 58604 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071212/7f31b313/attachment-0002.pdf>
More information about the specs
mailing list