Building identity on top of OAuth 2.0?

David Recordon recordond at gmail.com
Sun May 16 18:40:09 UTC 2010


On Sun, May 16, 2010 at 2:45 AM, Santosh Rajan <santrajan at gmail.com> wrote:

> David,
>
> Couple of questions I have.
>
> 1) If "OpeniD Connect" is about OAuth 2.0 why use the name OpenID at all?
> What has OpenID got to do with OAuth 2.0? Why not call it "OAuth Connect"?
>

To me, OpenID is about identity and OAuth is about authorization. When we
built OpenID we had Yadis for discovery which we built on top of, but didn't
have another technology for authorization. This meant that we created our
own mechanism around how the redirects happen, parameters are encoded, and
the signatures generated and verified.

Today we can replace all of that with OAuth 2.0. So OAuth builds on top of
HTTP, SSL, HMAC, etc which we can directly take advantage of.



> 2) I thought OpenID was about "Federated Identity". On the other hand OAuth
> 2.0 is about "Delegated Identity". Are you dumping the idea of "Federated
> Identity" once and for all for  OpenID?
>

OpenID Connect is still about decentralized identity. "Federated Identity"
means one (or a small number) of providers within a previously agreed upon
circle of trust. One of the key things this proposal adds to OAuth 2.0 is
the ability to have a client the server has never heard of before make an
OpenID request. See http://openidconnect.com/#associations.



>
> 3) My apologies for asking such blunt questions. I will appreciate your
> answers for this. And if you have a good answer I will be your no 1
> supporter.
>

No problem, as I said this is really meant to help get the conversation
going again!

--David


Thank you so much,
> Santosh
>
> On Sun, May 16, 2010 at 5:27 AM, David Recordon <recordond at gmail.com>wrote:
>
>> The past few months I've had a bunch of one on one conversations with a
>> lot of different people – including many of folks on this list – about ways
>> to build a future version of OpenID on top of OAuth 2.0. Back in March when
>> I wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as
>> well (http://daveman692.livejournal.com/349384.html).
>>
>> Basically moving us to where there's a true technology stack of TCP/IP ->
>> HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just
>> modernizing the technology, but also focusing on solving a few of the key
>> "product" issues we hear time and time again.
>>
>> I took the past few days to write down a lot of these ideas and glue them
>> together. Talked with Chris Messina who thought it was an interesting idea
>> and decided to dub it "OpenID Connect" (see
>> http://factoryjoe.com/blog/2010/01/04/openid-connect/). And thanks to
>> Eran Hammer-Lahav and Joseph Smarr for some help writing bits of it!
>>
>> So, a modest proposal that I hope gets the conversation going again.
>> http://openidconnect.com/
>>
>> --David
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>>
>
>
> --
> http://hi.im/santosh
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100516/e8e2cb28/attachment.htm>


More information about the specs mailing list