Building identity on top of OAuth 2.0?

Phillip Hallam-Baker hallam at gmail.com
Wed May 19 18:10:22 UTC 2010


One thing to bear in mind is that the technical arguments aside, the
Facebook/connect and Twitter/Connect world is in serious trouble. This
may spell opportunity or difficulty for OpenID.

Facebook is currently under assault for its abusive privacy policy.
There is a considerable backlash brewing and those who live by viral
marketing can die in the same way.

The odd thing about Twitter connect is that several sites that I had
been connecting to using my Twitter account seem to have recently
discontinued it.

I think that the inconsistencies and conflicts inherent in those
models are starting to be exposed.


On Wed, May 19, 2010 at 2:05 PM, David Recordon <recordond at gmail.com> wrote:
> On Wed, May 19, 2010 at 7:49 AM, John Bradley <john.bradley at wingaa.com>
> wrote:
>>
>> From conversations at IIW, I would say that David/Facebooks design goal is
>> something as simple as possible for RP to get the minimum information.
>
> I wouldn't say that these are just my design goals, what I proposed is very
> similar to even what Twitter shipped a few years ago on OAuth 1.0.
> http://apiwiki.twitter.com/Sign-in-with-Twitter
>
>> That may well translate into weak, in this version of the proposal.
>> Talking to Brenno and others, variations on this approach may be
>> significantly less weak.
>> Once there is a openID WG considering the issue under our IPR policy I
>> will feel significantly more comfortable contributing.
>> As a community director doing openID standards development outside of the
>> foundation is not something that I can personally participate in.
>> I am looking forward to the vNext working group getting to work.
>> I hope as a member you will be participating as well.
>> Regards
>> John B.
>> On 2010-05-19, at 2:25 AM, Ben Laurie wrote:
>>
>>
>> On 16 May 2010 00:57, David Recordon <recordond at gmail.com> wrote:
>>>
>>> The past few months I've had a bunch of one on one conversations with a
>>> lot of different people – including many of folks on this list – about ways
>>> to build a future version of OpenID on top of OAuth 2.0. Back in March when
>>> I wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as
>>> well (http://daveman692.livejournal.com/349384.html).
>>> Basically moving us to where there's a true technology stack of TCP/IP ->
>>> HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just
>>> modernizing the technology, but also focusing on solving a few of the key
>>> "product" issues we hear time and time again.
>>> I took the past few days to write down a lot of these ideas and glue them
>>> together. Talked with Chris Messina who thought it was an interesting idea
>>> and decided to dub it "OpenID Connect" (see
>>> http://factoryjoe.com/blog/2010/01/04/openid-connect/). And thanks to Eran
>>> Hammer-Lahav and Joseph Smarr for some help writing bits of it!
>>> So, a modest proposal that I hope gets the conversation going
>>> again. http://openidconnect.com/
>>
>> If the goal is to get something as weak as possible without it instantly
>> collapsing around your ears, then this sounds like a great plan.
>> If, OTOH, you are interested in actually protecting peoples' identities,
>> then OAuth 2.0 doesn't seem like a great starting point.
>>
>>>
>>> --David
>>> _______________________________________________
>>> specs mailing list
>>> specs at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>



-- 
Website: http://hallambaker.com/


More information about the specs mailing list