OAuth + OpenID

David Recordon drecordon at sixapart.com
Sat Jan 12 19:32:20 UTC 2008


Great, thanks!  We're talking about these drawing at OpenIDDevCamp  
right now.

Thanks,
--David

On Dec 11, 2007, at 7:33 PM, NISHITANI Masaki wrote:

>
> I enumerated all possible cases to use OAuth and OpenID
> together to organize my thought a bit more.
>
> And correct the charts for one misunderstanding.
> In cahrt 3, there should be another user-interaction phase
> for SP, which behaves as a relying party in OpenID context,
> to obtain user identifier.
>
> I will be grad with any comment to this.
>
> Possible cases to use OAuth and OpenID together.
> ================================================
>
> 1. Consumer, SP and OP all differ (4-entity case)
>
>  1.1 Both of Consumer and SP does not use OpenID at all.
>    - This is just a simple OAuth usecase (chart 1).
>
>  1.2 Consumer requires OpenID authentication, SP does not.
>    - Same as simple OAuth except place OpenID transactions
>      before initiating OAuth (above all chart 1 sequence).
>
>  1.3 SP requires OpenID authentication, Consumer does not.
>    - Chart 3.
>
>  1.4 Both requires OpenID authentication.
>    - Almost same as chart 3. Just place another OpenID
>      sequences above all of lines.
>
> 2. Consumer and SP are same.
>
>  Does not need to use OAuth.
>
> 3. SP and OP are same.
>
>  3.1 Consumer does not use OpenID.
>    - Simple OAuth.
>
>  3.2 Consumer does use OpenID.
>    - Sequences are just same in chart 3, or possibly
>      optimize like chart 4.
>
> 4. Consumer and OP are same.
>
>  4.1 SP does not use OpenID
>    - Sinple OAuth.
>
>  4.2 SP uses OpenID
>    - This is a bit strange case. It is possible to use
>      OpenID authentication for SP, but it is meaningless.
>      OAuth aims to data exchange without desclosing user
>      credentials and in this case, consumer already knows
>      user credential because it is a OpenID provider
>      itself.
>
> 5. All same.
>  Surprisingly, does not need OpenID nor OAuth.
>  Let me call this ``plain old web service'' ;-P
>
>
>> Hi all.
>>
>> According to the theme, OAuth and OpenID, talked in the IIW
>> 2007b, I have made up a brief diagrams for a sort of
>> self-brainstorming.
>>
>> It is a shame for me not have been able to join in that
>> session in IIW, though regarding the wiki page placed at
>> http://iiw.idcommons.net/index.php/OAuth_and_OpenID ,
>> it went over mainly about a case of SP (it's an OAuth term)
>> and OP (OpenID term) are same one.
>>
>> Now the diagrams consists of -
>>
>> Page 1; Ordinary OAuth sequence chart.
>> Page 2; Same for OpenID.
>> Page 3; Using OAuth and OpenID together,
>> 	Consumer does not need authorization but access to
>> 	user's data stored in SP, and SP uses OpenID for its
>> 	authorization method.
>> Page 4; Superimposing OAuth and OpenID,
>> 	SP and OP are same one and consumer requires user's
>> 	data stored in OP/SP and uses OpenID as well.
>>
>> This is a starting point for me and now I am looking for any
>> other use case and trying to make myself clear.
>>
>> Probably there is some chances to make the protocols
>> simpler. One case is to skip association phase using the
>> Consumer secret or RSA key of the consumer to verify
>> consumer/RP.
>>
>> I will be grad if I have comments.
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>
> < 
> OpenID_OAuth_Chart.pdf>_______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs





More information about the specs mailing list