[OpenID] Musing on FaceBook, OpenID and the next mountain to climb

[Peter Williams]

Looked at OAUTH again, seeing as there is a previous musing in the thread on the relationship between OAUTH and facebook, and since OATH and OpenID have a overlapping history according to http://oauth.net/documentation/getting-started.

I don't see any essential difference between it and SAML1.0. Its seems easy to recast the apparent "concept" of OAUTH in SAML terms.

User goes to SP website to print photos, and there initiates sp-initiated websso in order to nominate which photos shall be printed, as store on another photo storage site selected by user. User's browser is therefore redirected to photo  storage website - and goes through its locally defined UI experience to select photos. This process concludes the processes of user auth (on the storage site) and establishes on that photo filing site an "attribute release policy" for the printing site (e.g. a bunch of photo references, to be later dereferenced by the printer site). Upon user consent, IDP (storage site) sends SAML artifact post to SP (printing site), using some HTTP POST. Photo printing site, dereferences the inbound posted artifact#, by now pulling the photo attributes from IDP over SOAP-based backchannel (citing backchannel "API password", sometimes known as HTTP digest auth). SOAP response blob with lots of photo jpeg attributes is communicated to SP, which presumably prints photos by parsing the multipart mime type, and its bits of supporting xml.

Now, as always with Peter, there is the greatest respect for anyone who can find the "form of knowhow" that gets actually "adopted", particularly when its massive adoption. Let's not take that away from OAUTH.