An OAuth OpenID Extension

Joseph Holsten joseph at josephholsten.com
Tue Oct 23 02:21:56 UTC 2007 

Wow, these are neat. Thanks for the links david, and especially the  
work john!

OK, so the Inline Auth use case seems like a straightforward case for  
OAuth: resource url => identifier,  user auth url => delegate.  
Successfully accessing the resource after negotiation would imply  
that the user still trusts the RP. Seems like low hanging fruit.  
Also, gets the benefit of single sign off!

I'm a little unsure about the best way for the Trusted Auth use case.  
This seems quite good, but a diagram of an oauth solution to the  
problem was on the mailing list not long ago. Same as the official  
diagram, but with a third column showing interactions between the  
"Consumer Directs User to Service Provider" and "Service Provider  
Directs User to Consumer" steps. I looked for half an hour, found  
nothing, but I'm not crazy really! Anyway, it would be nice to  
compare perspectives first.

But if I remember correctly, the oauth proposal only allowed the  
"Service Provider"/"Destination Consumer" to revoke resource access,  
while openid trusted auth gives that right to the OP. Greater  
overhead versus greater user control.

So who's interested in fleshing out these recommendations into specs?

http:/ joseph holsten .com


On 02007:10:22, at 3:54CDT, David Recordon wrote:

> Hey all,
> I know John did some work in September (http://extremeswank.com/
> openid_trusted_auth.html and http://extremeswank.com/
> openid_inline_auth.html).  Both solve extremely important use-cases
> and are becoming increasingly discussed especially with the advent of
> OAuth.  I'd really like to see how we can work to write an extension
> to OpenID Authentication where the OpenID Provider is also the one
> handling OAuth credentials.  This would be useful in the inline
> authentication use case as well as if we move to a deployment
> scenario where the OAuth Provider is checking with the user's OpenID
> Provider to verify OAuth signatures.  Overtime I also think moving
> OpenID to the OAuth signature mechanism would be beneficial, but I
> think that is a longer conversation.
>
> --David
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list