OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at yahoo-inc.com
Thu Nov 13 20:46:13 UTC 2008


Hi Yariv,

In the registered consumer case, the SP will need the Consumer Key to 
show the Approval page. Previous versions of the spec had the Request 
Token in the OpenID Authentication request, which allowed the SP to 
derive the Consumer Key from the Request Token. At the IIW, we had 
discussed somehow tying the Association Handle to the Consumer Key.

Regardless of the solution, the SP will need to be know the Consumer Key 
in order to properly identify the OAuth Consumer when displaying the 
Approval page. The OpenID Realm is not quite sufficient, at least for 
SPs which require consumers to pre-register for a CK.

One possible optimization would be to just use the Consumer Key as the 
OpenID Association Handle, and Consumer Secret as the OpenID 
Association. The Consumer can just sign the OpenID Auth request using 
its CK/CS and the OP can return a pre-approved response token in the 
OpenID assertion. The Consumer can then exchange the response token for 
the OAuth Access Token/ ATS.

Thoughts?
Allen



Yariv Adan wrote:
> Following the IIW session on this topic, we updated the spec in 
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html 
> to address the issues that were raised. Especially, optimizing on how 
> OAuth request token is handled, allowed to remove one full roundtrip!
> Would appreciate any feedback on the updated suggestion.
>
> Thanks
>
> On Mon, Nov 3, 2008 at 12:00 PM, <specs-request at openid.net 
> <mailto:specs-request at openid.net>> wrote:
>
>     Send specs mailing list submissions to
>            specs at openid.net <mailto:specs at openid.net>
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>            http://openid.net/mailman/listinfo/specs
>     or, via email, send a message with subject or body 'help' to
>            specs-request at openid.net <mailto:specs-request at openid.net>
>
>     You can reach the person managing the list at
>            specs-owner at openid.net <mailto:specs-owner at openid.net>
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of specs digest..."
>
>
>     Today's Topics:
>
>       1. Proposal to create the OpenID OAuth Hybrid Working Group
>          (Yariv Adan)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Mon, 3 Nov 2008 15:30:57 +0100
>     From: Yariv Adan <yariv at google.com <mailto:yariv at google.com>>
>     Subject: Proposal to create the OpenID OAuth Hybrid Working Group
>     To: specs at openid.net <mailto:specs at openid.net>
>     Message-ID:
>          
>      <7c1383150811030630r2eaf4e5fxdad6dfbd00cf9010 at mail.gmail.com
>     <mailto:7c1383150811030630r2eaf4e5fxdad6dfbd00cf9010 at mail.gmail.com>>
>     Content-Type: text/plain; charset="iso-8859-1"
>
>      In accordance with the OpenID Foundation IPR policies and procedures<
>     http://openid.net/foundation/intellectual-property/ > this note
>     proposes the
>     formation of a new working group chartered to produce an OpenID
>     specification.
>     As per Section 4.1 of the Policies, the specifics of the proposed
>     working
>     group are:
>
>     Background Information:
>     OpenID has always been focused on how to enable
>     user-authentication within
>     the browser.  Over the last year, OAuth has been developed to allow
>     authorization either from within a browser, desktop software, or
>     mobile
>     devices.  Obviously there has been interest in using OpenID and OAuth
>     together allowing a user to share their identity as well as grant
>     a Relying
>     Party access to an OAuth protected resource in a single step.  A
>     small group
>     of people have been working on developing an extension to OpenID
>     which makes
>     this possible in a collaborative fashion within
>     http://code.google.com/p/step2/.  This small project includes a
>     draft spec
>     and Open Source implementations which the proposers would like to
>     finalize
>     within the OpenID Foundation.
>
>
>     Working Group Name:
>     OpenID OAuth Hybrid Working Group
>
>
>     Purpose:
>     Produce a standard OpenID extension to the OpenID Authentication
>     protocol
>     that provides a mechanism to embed an OAuth approval request into
>     an OpenID
>     authentication request to permit combined user approval. The extension
>     addresses the use case where the OpenID Provider and OAuth Service
>     Provider
>     are the same service. To provide good user experience, it is
>     important to
>     present a combined authentication and authorization screen for the two
>     protocols.
>
>
>     Scope:
>     Standardize the draft Hybrid Protocol (
>     http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html)
>     as an official OpenID Extension describing how to combine an OpenID
>     authentication request with the approval of an OAuth request token.
>
>
>     Anticipated Contributions:
>     Draft specification referenced above and various text
>     contributions as more
>     developers implement it.
>
>
>     Proposed List of Specifications:
>     OpenID OAuth Extension 1.0. Spec completion by Q4 2008.
>
>
>     Anticipated audience or users of the work:
>      - OpenID Providers and Relying Parties
>      - OAuth Consumers and Service Providers
>      - Implementers of OpenID Providers and Relying Parties
>
>
>     Language in which the WG will conduct business:
>     English.
>
>
>     Method of work:
>     E-mail discussions on the working group mailing list and working group
>     conference calls.
>
>
>     Basis for determining when the work of the WG is completed:
>     The work will be completed once it is apparent that maximal
>     consensus on the
>     protocol proposal has been achieved within the working group,
>     consistent
>     with the purpose and scope.
>
>
>     Proposers:
>      - Ben Laurie, benl at google.com <mailto:benl at google.com>, Google
>      - Breno de Medeiros, breno at google.com <mailto:breno at google.com>,
>     Google
>      - David Recordon, drecordon at sixapart.com
>     <mailto:drecordon at sixapart.com>, Six Apart
>      - Dirk Balfanz, balfanz at google.com <mailto:balfanz at google.com>,
>     Google
>      - Joseph Smarr, jsmarr at plaxo.com <mailto:jsmarr at plaxo.com>, Plaxo
>      - Yariv Adan, yariv at google.com <mailto:yariv at google.com>, Google
>      - Allen Tom, atom at yahoo-inc.com <mailto:atom at yahoo-inc.com> ,
>     Yahoo
>      - Josh Hoyt, josh at janrain.com <mailto:josh at janrain.com> , JanRain
>
>
>     Initial Editors:
>      - Dirk Balfanz, balfanz at google.com <mailto:balfanz at google.com>,
>     Google  - Breno de Medeiros,
>     breno at google.com <mailto:breno at google.com>, Google
>
>
>     --
>     Yariv Adan | Product Manager
>     Google Switzerland GmbH | Identifikationsnummer: CH-020.4.028.116-1
>     This e-mail is confidential. If you are not the right addressee
>     please do
>     not forward it, please inform the sender, and please erase this e-mail
>     including any attachments. Thanks.
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     http://openid.net/pipermail/specs/attachments/20081103/21c48c00/attachment.html
>
>     ------------------------------
>
>     _______________________________________________
>     specs mailing list
>     specs at openid.net <mailto:specs at openid.net>
>     http://openid.net/mailman/listinfo/specs
>
>     End of specs Digest, Vol 27, Issue 3
>     ************************************
>
>
>
>
> -- 
> Yariv Adan | Product Manager
> Google Switzerland GmbH | Identifikationsnummer: CH-020.4.028.116-1
> This e-mail is confidential. If you are not the right addressee please 
> do not forward it, please inform the sender, and please erase this 
> e-mail including any attachments. Thanks.  
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20081113/3b1f953a/attachment-0002.htm>


More information about the specs mailing list