RECOMMENDED: Proposal to create the OpenID and OAuth Hybrid Extension working group

David Recordon david at sixapart.com
Wed Jan 28 19:01:19 UTC 2009 

The Specifications Council recommends that the Foundation members  
approve the creation of the OpenID and OAuth Hybrid Extension working  
group (http://openid.net/pipermail/specs-council/2009-January/000099.html 
), as proposed below and found at http://wiki.openid.net/OpenID-and-OAuth-Hybrid-Extension 
.

If you are a member of the OpenID Foundation, you'll be able to login  
and vote on the creation of this new working group after this 14-day  
notice period.  The vote thus will be from Wednesday February 11th  
through Wednesday February 18th.  All votes are held in US Pacific Time.

--David


Background Information
OpenID has always been focused on how to enable user-authentication  
within the browser.  Over the last year, OAuth has been developed to  
allow authorization either from within a browser, desktop software, or  
mobile devices. Obviously there has been interest in using OpenID and  
OAuth together allowing a user to share their identity as well as  
grant a Relying Party access to an OAuth protected resource in a  
single step. A small group of people have been working on developing  
an extension to OpenID which makes this possible in a collaborative  
fashion within http://code.google.com/p/step2/. This small project  
includes a draft spec and Open Source implementations which the  
proposers would like to finalize within the OpenID Foundation.

Working Group Name
OpenID OAuth Hybrid Working Group

Purpose
Produce a standard OpenID extension to the OpenID Authentication  
protocol that provides a mechanism to embed an OAuth approval request  
into an OpenID authentication request to permit combined user  
approval. The extension addresses the use case where the OpenID  
Provider and OAuth Service Provider are the same service. To provide  
good user experience, it is important to present a combined  
authentication and authorization screen for the two protocols.

Scope
The proposed work is as follows:

     * Extend the OpenID authentication request/response and the  
assertion verification mechanism, to embed an OAuth approval request  
into an OpenID authentication request. Assuming  the OpenID Provider  
and OAuth Service Provider are the same service.
     * Insulation of each protocol from the other, both for backwards  
compatibility as well as to enable OpenID and OAuth to evolve and  
incorporate additional features without requiring reviews of the  
combined usage. Especially, to allow future support for unregistered  
OAuth consumers.
     * Security analysis and best practices

Out of scope

     * The OpenID extension does not define an unregistered OAuth  
consumers mode, but instead ensures that such support would be  
possible by protocol insulation. The unregistered consumers mode  
should be defined separately in the OAuth specifications.

Anticipated Contributions
Finalize the OpenID OAuth Extension spec (http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html 
) as an official OpenID Extension.

Proposed List of Specifications
OpenID OAuth Extension 1.0. Specification completion by Q1 2009.

Anticipated audience or users of the work
     * OpenID Providers and Relying Parties
     * OAuth Consumers and Service Providers
     * Implementers of OpenID Providers and Relying Parties

Language in which the WG will conduct business
English.

Method of work
E-mail discussions on the working group mailing list and working group  
conference calls.

Basis for determining when the work of the WG is completed
The work will be completed once it is apparent that maximal consensus  
on the protocol proposal has been achieved within the working group,  
consistent with the purpose and scope.

Proposers
     * Ben Laurie, benl at google.com, Google
     * Breno de Medeiros, breno at google.com, Google
     * David Recordon, drecordon at sixapart.com, Six Apart
     * Dirk Balfanz, balfanz at google.com, Google
     * Joseph Smarr, jsmarr at plaxo.com, Plaxo
     * Yariv Adan, yariv at google.com, Google
     * Allen Tom, atom at yahoo-inc.com , Yahoo
     * Josh Hoyt, josh at janrain.com , JanRain

Initial Editors
     * Dirk Balfanz, balfanz at google.com, Google
     * Breno de Medeiros, breno at google.com, Google

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090128/83aec904/attachment-0002.htm>

More information about the specs mailing list