[OpenID board] Why Connect?

Nat Sakimura sakimura at gmail.com
Tue May 25 12:19:27 UTC 2010 

A bit of comment.

On Tue, May 25, 2010 at 4:57 AM, David Recordon <recordond at gmail.com> wrote:
>
> Allen Tom:
>>
>> Connect has a well defined scope that standardizes an identity interface
>> using OAuth – which has already been widely implemented and has already
>> proven to work by several vendors. Based on adoption, It’s obvious that the
>> marketplace wants this. Given that there are several widely implemented and
>> very successful implementations of Identity using Oauth – its pretty
>> straightforward and almost obvious how to build OpenID Connect by taking the
>> best practices of what’s already been implemented.
>>
>> I do think that the community would be better off if we could drop the
>> Connect branding. Perhaps we can call it OpenID 3.0 Core, and the use cases
>> that are in the v.Next Proposal that are not in Core can be built on top of
>> 3.0 Core.
>

I agree with Allen.

I like the architecture. It basically is (OpenID Artifact Binding) +
(New Disco & Assoc) -  (features that
support LoA1+ (such as magic signature, etc.) ).

For those of you who are not acquainted with OpenID Artifact Binding
(or for Mobile),
it is a binding of OpenID on OAuth2.0 with some appropriate restriction on
"code" length etc. (As it so happens, it does not require Association
since we do it over SSL.)

The differences are:

1. Artifact Binding (AB) returns identity assertion in parallel to the
OAuth access token,
  thus AB can return identity attributes and other extension variables
within assertion - better compatibility.
  Also, it is one less round trip than Connect.
2. AB defines public key based sig. through the Magic Signature and some
    additional parameters so that it can go up to LoA4.
3. Connect defines new discovery.

Otherwise, they are pretty much the same thing.

Anyways, my biggest concern is the market confusion.

"Connect" simply can be the basic building bloc and the first
deliverable of the
v.Next Core WG.

If that would be the course, I will give a full support to the connect,
though I might still want to ask "why duplicate with Artifact Binding?" ;-)
It simply looks like a too much overlap.

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en

More information about the board mailing list