Building identity on top of OAuth 2.0?

David Recordon recordond at gmail.com
Sun May 16 06:33:37 UTC 2010


Oh, and in terms of using host-meta / JRD for profile info. I think we're
going to get there. If I pass an OAuth token into a JRD endpoint I might see
service endpoints that the user didn't expose publicly. I also sort of like
the idea of making the user identifier an API endpoint itself.


On Sat, May 15, 2010 at 11:31 PM, David Recordon <recordond at gmail.com>wrote:

> Thanks Joseph!
>
> When proposing the User Info API (http://openidconnect.com/#API) I was
> really looking to establish what the minimum requirements are to provide the
> value that sites are asking for and be interoperable. It's pretty clear that
> JSON is the correct format for this API versus XML or returning
> HTML snippets.  Both Simple Registration and Attribute Exchange are schemas
> which rely on OpenID 1.0/2.0 messages for syntax and neither have been
> widely adopted.
>
> From there I started looking for profile APIs in JSON. Portable Contacts is
> the leading technology, but is too isn't widely adopted today. OpenID,
> OAuth, Twitter, and Facebook all use underscores in parameter names while
> Portable Contacts uses camelCase. I thus decided to take the parameter names
> in Portable Contacts – Joseph Smarr did a lot of research into good
> internationalized names – and convert them from camel case. I also flattened
> the lists since the API is meant to be minimal and simple, but extensible by
> servers.
>
> Thus displayName became display_name and name:firstName became first_name.
>
> As I said on the site, I fully expect Portable Contacts, Activity Streams,
> etc to be deployed with OpenID Connect and even have those sorts of APIs be
> used more actively than the simple User Info API. By providing what's
> required for interop and an OAuth token we're able to push innovation around
> APIs out to other communities versus trying to make OpenID do everything
> itself.
>
> So all of that said, any suggestions of how the User Info API could do a
> better job of reusing existing schemas?
>
> Thanks,
> --David
>
>
> On Sat, May 15, 2010 at 11:12 PM, Joseph Holsten <joseph at josephholsten.com
> > wrote:
>
>> David Recordon wrote:
>> > Basically moving us to where there's a true technology stack of TCP/IP
>> -> HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not
>> just modernizing the technology, but also focusing on solving a few of the
>> key "product" issues we hear time and time again.
>>
>> I started a response, but it got into tldr territory, so I blahged
>> instead. Briefly, let's not reinvent the user info wheel another time.
>> http://blog.josephholsten.com/2010/05/your-new-new-web-identity/
>> --
>> http://josephholsten.com
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100515/c2976e70/attachment.htm>


More information about the specs mailing list