Authorization using OpenID?

Dick Hardt dick at sxip.com
Sun Oct 15 02:42:34 UTC 2006 

Hi Carsten

OpenID 2.0 Authentication does not give you authz credentials.

authz can be done by adding another player in the mix, let's call it  
the authorization party, or AZP (I have called this the Identity  
Issuer in the past)

The AZP provides the user with a credential which says their OpenID  
(http://blame.ca) has permission X. The user stores this at their IdP  
(using OpenID terminology)

The user then goes to an RP, and the RP makes an authn request to the  
IdP and also makes an OpenID Attribute Request for credential X,  
which is needed for authorization to the RP

The user authenticates to the IdP and the response message proves the  
user is http://blame.ca, and the response also contains credential X  
bound to http://blame.ca.

This is the core innovation in Identity 2.0 data flow -- the user  
centered aspect.

-- Dick


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general- 
> bounces at openid.net] On
> Behalf Of creimer at xs4all.nl
> Sent: Friday, October 13, 2006 12:31 AM
> To: general at openid.net
> Subject: Authorization using OpenID?
>
> Dear list,
>
> I searched the mailing list archives for authorization issues and  
> googled
> for it, too. In the mailing list archives nothing was said about
> authorization issues and the google results I found mainly pointed out
> that OpenID is only for authentication purposes.
>
> To clarify: Authorization in this context means to decide wether an
> already authenticated user (e. g. by the OpenID-protocol) may use a
> special ressource or not.
>
> The intended use case:
>
> With our company we would like to use OpenID to enable users to use
> several applications with a signle sign on mechanism (like OpenID).  
> But
> not every user may use every application so we need some authorization
> mechanism to distinguish the users who may from those who may not.  
> Is that
> something OpenID can do or help to do?
>
> And if so, how can this authorization be achieved. I read through the
> specs (v1 and v2) and did not find anything appropriate. Are the
> properties introduce in v2 something that might help?
>
> Thanks in advance for any hints, suggestions etc.
>
> With kind regards
>
> Carsten Reimer
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list