OpenID versus oAuth 2

Santosh Rajan santrajan at gmail.com
Tue May 18 12:58:43 UTC 2010


This is very good work.

I must admit that I never took a good look at artifact binding. Because I
had this impression that artifact binding is about AX. Now that I have read
the spec I can see that there is much more to it than AX. It looks more like
a rewrite of the core protocol itself.

Yes I know this is going to raise some eyebrows here. But seriously, all we
need to do is add webfinger to this and Viola we have OpenID V.Next.

(Yes I agree it is not as simple as that, but I hope you get the gist of
what i am suggesting).

Also will it be possible to try this out in other languages like python, i
mean can we have a trial OP setup somewhere.

On Tue, May 18, 2010 at 4:03 PM, Nat Sakimura <n-sakimura at nri.co.jp> wrote:

> The same with Artifact Binding 1.0 draft 06. It is a chartered work group
> at OpenID Foundation.
> (OpenID Connect / v.Next etc. needs to be chartered and approved yet.)
> It is very similar to David's straw man. Main difference is that you still
> can get the same
> identifier as OpenID 2.0. It also is a trivially implementable spec.
>
> See here: https://openid4.us/ for links etc.
>
> Cheers,
>
> =nat
>
>
>
> (2010/05/17 22:27), Alex Barth wrote:
>
>>
>> Small aside: I've implemented a similar workflow myself recently and I've
>> avoided any changes of user account details on Relying Parties:
>>
>> http://developmentseed.org/blog/2010/mar/02/simple-sign-openid
>>
>> All changes to accounts properties (user name, email, etc) are done on the
>> provider to avoid asynchronicities.
>>
>> Alex
>>
>> On May 17, 2010, at 12:03 AM, Manuel Lemos wrote:
>>
>>  Hello,
>>>
>>> With this thread of using oAuth 2 for identity I am confused to which
>>> protocol should I use for a single sign-on solution that I need to
>>> implement.
>>>
>>> Let me explain my case and see if anybody can clarify what is the best
>>> solution for me.
>>>
>>> I have one site, lets call it site A, that has many user accounts. I
>>> want to build another site, lets call it site B, but I do not want users
>>> with accounts in site A to create new accounts to access site B. They
>>> could just use the same account data from site A and use it in site B.
>>> In the future I may have sites C, D, etc..
>>>
>>> I thought of creating an OpenID authentication server, lets call it OP,
>>> and migrate user account from site A to OP. When users go to site A or B
>>> and need to login, they are redirected via OpenID to OP for
>>> authentication.
>>>
>>> If successful, OP passes site A or B the account, personal name, nick
>>> name and e-mail when redirecting back to sites A or B, so those sites
>>> always have copies of that account information for imediate use.
>>>
>>> If the user updates one of those details in site A or B, they push the
>>> changes to OP and OP propagates the changes to the other site A or B
>>> that also has the same user account.
>>>
>>>  From the specifications that I read, OpenID and its extensions can be
>>>>
>>> used the way I need.
>>>
>>> This will all be used only within my network sites. I do not intend to
>>> allow users to autheticate with external OpenID providers, nor I want
>>> other sites to use my OpenID provider to authenticate in other sites.
>>>
>>> Since this is meant for use restricted to my sites, I could invent a
>>> proprietary protocol, but I thought it was better to not reinvent the
>>> wheel.
>>>
>>> I will develop all the necessary components to implement the OpenID
>>> provider and consumers with the needed extensions. Actually the consumer
>>> component is mostly done.
>>>
>>> I was moving to the OpenID provider component when I noticed this thread
>>> of using oAuth 2 for identity. So now I wonder if I am in the right
>>> path? Shall I keep doing it with OpenID or shall I do it with oAuth 2?
>>> Can anybody please shed some light so I can make the best decision?
>>>
>>> --
>>>
>>> Regards,
>>> Manuel Lemos
>>>
>>> Find and post PHP jobs
>>> http://www.phpclasses.org/jobs/
>>>
>>> PHP Classes - Free ready to use OOP components written in PHP
>>> http://www.phpclasses.org/
>>> _______________________________________________
>>> specs mailing list
>>> specs at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>>
>>
>> Alex Barth
>> http://www.developmentseed.org/blog
>> tel (202) 250-3633
>>
>>
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>
>
> --
> Nat Sakimura
>
> このメールには、本来の宛先の方のみに限定された機密情報が含まれている場
> 合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメー
> ルを削除してくださいますようお願い申し上げます。
> PLEASE READ:This e-mail is confidential and intended for the named re
> cipient only. If you are not an intended recipient, please notify the
> sender and delete this e-mail.
>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>



-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100518/24a2dcf9/attachment.htm>


More information about the specs mailing list