[OpenID] Verisign Announces Free OpenID Digital Lockbox
Peter Williams
pwilliams at rapattoni.com
Sat Feb 21 22:24:57 UTC 2009
If you take another look at what I suggested, it hinged on exploiting a cascade of OPs - only the last of which was a hybrid OAuth-SP/OpenID-OP.
This cascading is what SAML2 simply calls IDP proxying - a model we use extensively at Rapattoni so that incoming assertions from asserting-parties without support for the standard PEP/PDP protocol are subject to (standard) entitlement/authorizationQuery controls performed by our own asserting party (when enforcing/deciding to release assertions & attributes, per user, per RP)
That is:
User performs user auth at Live.com OP say (not a hybrid)
Live OP classically asserts to the myopenid OP at the users discretion - which is the only hybrid OAuth-SP/OP (where the OAuth vault service was the data source/sink). The assertion minted by the hybrid OP is unlike others, being profiled to allow OAuth consumer receiving the Opendi assertion to then access an OAuth-SP (data service) while claiming [limited] impersonation-rights for user.
Using one OP as an authenticator for another OP is really only a variant of what MyOpenID does today (where SSL client certs or cardspace assertions) can be used to user auth to the OP. Rather than a cascade of cardspace assertion -> openid assertion ...I simply advocated using a cascade of openid assertion -> openid assertion.
> -----Original Message-----
> From: Martin Atkins [mailto:mart at degeneration.co.uk]
> Sent: Saturday, February 21, 2009 2:02 PM
> To: Andrew Arnott
> Cc: Peter Williams; OpenID List
> Subject: Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox
>
> Andrew Arnott wrote:
> > I fear that the "beauty" of the OpenID/OAuth hybrid will end up
> making all
> > SPs become OPs as well, thereby virtually defeating the promise of
> OpenID's
> > single-sign-on.
>
> Agreed.
>
> We need a way to do hybrid when the OP and the SP are not the same
> party, and ideally we need it sooner rather than later.
>
> The OpenID/OAuth hybrid is a nice UX fix in the short term, but it is
> not good if I'm forced to use a single provider for everything from
> authentication to address books to calendars to whatever else we make
> work with OAuth in future.
>
> It also seems to me that the OpenID part of the OpenID/OAuth hybrid is
> actually redundant in many scenarios. For example, if I'm connecting to
> a PortableContacts endpoint using OAuth, the PortableContacts "self"
> endpoint can in theory provide a superset of the information provided
> by
> the OpenID transaction.
More information about the general
mailing list