OpenID versus oAuth 2

Tue May 18 10:33:47 UTC 2010

The same with Artifact Binding 1.0 draft 06. It is a chartered work 
group at OpenID Foundation.
(OpenID Connect / v.Next etc. needs to be chartered and approved yet.)
It is very similar to David's straw man. Main difference is that you 
still can get the same
identifier as OpenID 2.0. It also is a trivially implementable spec.

See here: https://openid4.us/ for links etc.

Cheers,

=nat

(2010/05/17 22:27), Alex Barth wrote:
>
> Small aside: I've implemented a similar workflow myself recently and 
> I've avoided any changes of user account details on Relying Parties:
>
> http://developmentseed.org/blog/2010/mar/02/simple-sign-openid
>
> All changes to accounts properties (user name, email, etc) are done on 
> the provider to avoid asynchronicities.
>
> Alex
>
> On May 17, 2010, at 12:03 AM, Manuel Lemos wrote:
>
>> Hello,
>>
>> With this thread of using oAuth 2 for identity I am confused to which
>> protocol should I use for a single sign-on solution that I need to
>> implement.
>>
>> Let me explain my case and see if anybody can clarify what is the best
>> solution for me.
>>
>> I have one site, lets call it site A, that has many user accounts. I
>> want to build another site, lets call it site B, but I do not want users
>> with accounts in site A to create new accounts to access site B. They
>> could just use the same account data from site A and use it in site B.
>> In the future I may have sites C, D, etc..
>>
>> I thought of creating an OpenID authentication server, lets call it OP,
>> and migrate user account from site A to OP. When users go to site A or B
>> and need to login, they are redirected via OpenID to OP for 
>> authentication.
>>
>> If successful, OP passes site A or B the account, personal name, nick
>> name and e-mail when redirecting back to sites A or B, so those sites
>> always have copies of that account information for imediate use.
>>
>> If the user updates one of those details in site A or B, they push the
>> changes to OP and OP propagates the changes to the other site A or B
>> that also has the same user account.
>>
>>> From the specifications that I read, OpenID and its extensions can be
>> used the way I need.
>>
>> This will all be used only within my network sites. I do not intend to
>> allow users to autheticate with external OpenID providers, nor I want
>> other sites to use my OpenID provider to authenticate in other sites.
>>
>> Since this is meant for use restricted to my sites, I could invent a
>> proprietary protocol, but I thought it was better to not reinvent the 
>> wheel.
>>
>> I will develop all the necessary components to implement the OpenID
>> provider and consumers with the needed extensions. Actually the consumer
>> component is mostly done.
>>
>> I was moving to the OpenID provider component when I noticed this thread
>> of using oAuth 2 for identity. So now I wonder if I am in the right
>> path? Shall I keep doing it with OpenID or shall I do it with oAuth 2?
>> Can anybody please shed some light so I can make the best decision?
>>
>> -- 
>>
>> Regards,
>> Manuel Lemos
>>
>> Find and post PHP jobs
>> http://www.phpclasses.org/jobs/
>>
>> PHP Classes - Free ready to use OOP components written in PHP
>> http://www.phpclasses.org/
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>
> Alex Barth
> http://www.developmentseed.org/blog
> tel (202) 250-3633
>
>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-- 
Nat Sakimura

このメールには、本来の宛先の方のみに限定された機密情報が含まれている場
合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメー
ルを削除してくださいますようお願い申し上げます。
PLEASE READ：This e-mail is confidential and intended for the named re
cipient only. If you are not an intended recipient, please notify the
sender and delete this e-mail.