Building identity on top of OAuth 2.0?

Joseph Holsten joseph at josephholsten.com
Mon May 17 00:08:24 UTC 2010


Shade wrote:
> Neither the old nor the new is pleasant. It's just a different kind of unpleasant, really.

So have you got a decision criterion you think we should use to pick between them? Perhaps an alternative mechanism we could use instead?

I'd like to decide based on the cost of implementation, with some consideration paid to migration costs. Assuming, of course, that the performance and security situations are similar.

As I've already seen plenty of folks accidentally handle delegation wrong in RP code, I'd guess people will spend less time fixing bugs without it. It doesn't seem to have much impact on OP code. So I'm for cutting delegation, especially if we mandate identity correlation across rel=me and xrd aliases.
--
http://josephholsten.com


More information about the specs mailing list