[OpenID] Leveraging OpenID Server Infrastructure to support OAuth
Peter Williams
pwilliams at rapattoni.com
Wed Dec 10 14:06:58 UTC 2008
I don't know Pat.
I am slowly warming to OAUTH. I just cannot tell yet whether it has the richness required for the long term.
OpenID is more like SSL then anything else (since it keys a persistent crypto channel between 2 entities). Today, over that channel, it happens today to express auth, AX, and soon NR/DRM authZ controls (from Nat/Japan). Before long, liberty folk will assuredly engineer it to also do trust based governance, enforced by legal-federations of OPs (like EV).
Im not sure where OAUTH fits in, technically or culturally. It function would seem to be a mere extension type, within the OpenID stack - as opposed to being a peer.
But, Im expressing as usual my technical ignorance and biases. The sheer number of adoptions of OAUTH makes it sound like I just don't get it; and the problem is me. Both OpenID and OAUTH seem to me to be minor variants of SAML2 flows (websso and artifact). But, at least I know now what is the unique "twist" that openid2 adds to the well-understood websso flows - bringing benefits and flexibility that you just don't actually get from SAML2, in practice. Its rich, vibrant and will develop further.
If I had the same sense for the richness of OAUTH, Id be happier to formulate a recommendation.
At the same time, Im not on the Board, and am not running for election. So no one really ought to give a damn about my opinion! Focus on the candidates and their positions on OAUTH.
-----Original Message-----
From: Pat Cappelaere [mailto:pat at cappelaere.com]
Sent: Wednesday, December 10, 2008 4:56 AM
To: general at openid.net
Cc: Peter Williams
Subject: Leveraging OpenID Server Infrastructure to support OAuth
I have some "disadvantaged" service providers out there that would
like to implement OAuth.
My users will have an OpenID and are familiar with the concept of
authorizing "Sites".
OpenID servers such as MyOpenID, VIDOOP... have a great infrastructure
to request user authorization (email, sms, voice...).
Couldn't we leverage that infrastructure to speed up OAuth acceptance?
[and help those SP do a better job]
It appears, on the surface, that if that service provider (SP)
receiving an OAuth request from an application consumer (AC) on behalf
of a user with an openid, that SP could go back to the openid server
and request user authorization for AC to act on users' behalf with a
immediate or setup request using the realm as the AC url. The problem
is that the server is going to return a trust_root error to avoid a
phishing attack.
I am wondering if that error isn't too strict and a better behavior
would be for the server to tell the user that an authorization is
requested by SP to allow AC to act on his behalf?
This would now give the user a single place to manage grant access for
sites or applications with no other change to server.
[Another way would be for the SP to check the OP if AC has been
authorized by user but this might present some other security concerns]
Thanks,
Pat.
More information about the general
mailing list