Non-interactive logins

James Henstridge james at jamesh.id.au
Wed Jul 16 05:26:08 UTC 2008


On Wed, Jul 16, 2008 at 12:38 PM, Anders Feder <lists.anders at feder.dk> wrote:
> tir, 15 07 2008 kl. 21:28 -0700, skrev John Panzer:
>> And of course any number of extensions could be created to obtain an
>> access token via an alternate path, after which normal OAuth can be
>> used.
>
> Sure, but isn't this equally true for OpenID?

Most OpenID RPs maintain some kind of session for the user, but that
is not required by the spec (some require OpenID auth to perform each
action).

In contrast, the whole point of OAuth is to generate an authorisation
token that can be used for machine access to a site multiple times in
the future.  The OAuth service provider might use OpenID when deciding
whether to grant an authorisation token to a client to access the site
on behalf of a particular user if appropriate.

James.



More information about the specs mailing list