OpenID versus oAuth 2

Thu May 20 08:16:18 UTC 2010

Thanks Santosh.

It can definitely be written in Python easily as well.
I have put an implementation at https://openid4.us/ to make sure that
the spec works, but it took only a couple of days including my
learning Javascript for the first time.

Please go ahead and experiment with Python as well.
Trying to do it on GAE might be an interesting experiment.

A friend of mine says he is going to do it on Ruby,
and there is somebody who is working on Java right now.
(It may well be complete already.)

=nat

2010/5/18 Santosh Rajan <santrajan at gmail.com>:
> This is very good work.
> I must admit that I never took a good look at artifact binding. Because I
> had this impression that artifact binding is about AX. Now that I have read
> the spec I can see that there is much more to it than AX. It looks more like
> a rewrite of the core protocol itself.
> Yes I know this is going to raise some eyebrows here. But seriously, all we
> need to do is add webfinger to this and Viola we have OpenID V.Next.
> (Yes I agree it is not as simple as that, but I hope you get the gist of
> what i am suggesting).
> Also will it be possible to try this out in other languages like python, i
> mean can we have a trial OP setup somewhere.
>
> On Tue, May 18, 2010 at 4:03 PM, Nat Sakimura <n-sakimura at nri.co.jp> wrote:
>>
>> The same with Artifact Binding 1.0 draft 06. It is a chartered work group
>> at OpenID Foundation.
>> (OpenID Connect / v.Next etc. needs to be chartered and approved yet.)
>> It is very similar to David's straw man. Main difference is that you still
>> can get the same
>> identifier as OpenID 2.0. It also is a trivially implementable spec.
>>
>> See here: https://openid4.us/ for links etc.
>>
>> Cheers,
>>
>> =nat
>>
>>
>> (2010/05/17 22:27), Alex Barth wrote:
>>>
>>> Small aside: I've implemented a similar workflow myself recently and I've
>>> avoided any changes of user account details on Relying Parties:
>>>
>>> http://developmentseed.org/blog/2010/mar/02/simple-sign-openid
>>>
>>> All changes to accounts properties (user name, email, etc) are done on
>>> the provider to avoid asynchronicities.
>>>
>>> Alex
>>>
>>> On May 17, 2010, at 12:03 AM, Manuel Lemos wrote:
>>>
>>>> Hello,
>>>>
>>>> With this thread of using oAuth 2 for identity I am confused to which
>>>> protocol should I use for a single sign-on solution that I need to
>>>> implement.
>>>>
>>>> Let me explain my case and see if anybody can clarify what is the best
>>>> solution for me.
>>>>
>>>> I have one site, lets call it site A, that has many user accounts. I
>>>> want to build another site, lets call it site B, but I do not want users
>>>> with accounts in site A to create new accounts to access site B. They
>>>> could just use the same account data from site A and use it in site B.
>>>> In the future I may have sites C, D, etc..
>>>>
>>>> I thought of creating an OpenID authentication server, lets call it OP,
>>>> and migrate user account from site A to OP. When users go to site A or B
>>>> and need to login, they are redirected via OpenID to OP for
>>>> authentication.
>>>>
>>>> If successful, OP passes site A or B the account, personal name, nick
>>>> name and e-mail when redirecting back to sites A or B, so those sites
>>>> always have copies of that account information for imediate use.
>>>>
>>>> If the user updates one of those details in site A or B, they push the
>>>> changes to OP and OP propagates the changes to the other site A or B
>>>> that also has the same user account.
>>>>
>>>>> From the specifications that I read, OpenID and its extensions can be
>>>>
>>>> used the way I need.
>>>>
>>>> This will all be used only within my network sites. I do not intend to
>>>> allow users to autheticate with external OpenID providers, nor I want
>>>> other sites to use my OpenID provider to authenticate in other sites.
>>>>
>>>> Since this is meant for use restricted to my sites, I could invent a
>>>> proprietary protocol, but I thought it was better to not reinvent the
>>>> wheel.
>>>>
>>>> I will develop all the necessary components to implement the OpenID
>>>> provider and consumers with the needed extensions. Actually the consumer
>>>> component is mostly done.
>>>>
>>>> I was moving to the OpenID provider component when I noticed this thread
>>>> of using oAuth 2 for identity. So now I wonder if I am in the right
>>>> path? Shall I keep doing it with OpenID or shall I do it with oAuth 2?
>>>> Can anybody please shed some light so I can make the best decision?
>>>>
>>>> --
>>>>
>>>> Regards,
>>>> Manuel Lemos
>>>>
>>>> Find and post PHP jobs
>>>> http://www.phpclasses.org/jobs/
>>>>
>>>> PHP Classes - Free ready to use OOP components written in PHP
>>>> http://www.phpclasses.org/
>>>> _______________________________________________
>>>> specs mailing list
>>>> specs at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>>
>>> Alex Barth
>>> http://www.developmentseed.org/blog
>>> tel (202) 250-3633
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>>
>> --
>> Nat Sakimura
>>
>> このメールには、本来の宛先の方のみに限定された機密情報が含まれている場
>> 合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメー
>> ルを削除してくださいますようお願い申し上げます。
>> PLEASE READ：This e-mail is confidential and intended for the named re
>> cipient only. If you are not an intended recipient, please notify the
>> sender and delete this e-mail.
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
>
> --
> http://hi.im/santosh
>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en