Building identity on top of OAuth 2.0?

Allen Tom atom at yahoo-inc.com
Thu May 20 03:18:00 UTC 2010


Whoa, I think it¹s premature to say that Yahoo supports OpenID Connect, but
I would imagine that only a single Access Token would be returned to
coolcalendar.com ­ the Access Token would presumably be good for both
³openid² and ³calendar² scope. Why would the OP want to return 2 tokens?

Allen


On 5/19/10 5:27 PM, "Dirk Balfanz" <balfanz at google.com> wrote:

> 
> Let's say I'm coolcalendar.com <http://coolcalendar.com> , and I want to
> "connect" one of my user's accounts to his Yahoo! account. I don't want to
> roll my own auth system, so I'm happy to see that Yahoo! supports OpenID
> Connect. To connect, I'll send the user over to Yahoo! with
> scope=openid%20yahoo-calendar. What I get back, in your proposal, is two
> different kinds of "tokens": the access token that my servers use to access
> Yahoo! and something I'll call "openid connect token" (which in your proposal
> comprises a few different parameters - user id, timestamp, signature, etc.)
> that browsers use (in form of a cookie) to access my own servers at
> coolcalendar.com <http://coolcalendar.com> . 
> 
> Why do those two tokens look different? They serve the same purpose -
> authenticating access from a client to a server, so they should look the
> same. 
> 
> Why should Yahoo! run different code to authenticate requests coming from my
> server than the code I'm running on my servers to authenticate requests coming
> from browsers - we have to solve the same task, so we should run the same
> code. It's simpler.  
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100519/59f69f5e/attachment.html>


More information about the specs mailing list