[OpenID] Definition of OpenID
David Recordon
recordond at gmail.com
Tue Jun 8 07:40:21 UTC 2010
We wrote http://openid.net/get-an-openid/what-is-openid/ a year or two
ago. It's far more of a product definition than a technical one, but
supports what you wrote. Ever since we made OpenID 2.0 extensible and
a combination of other technologies a few years ago it's been a
framework.
As you point out, OpenID has never done user authentication itself.
Rather that's handled by cookies, passwords, tokens, certs, etc.
OpenID does however perform authentication from the provider to the
relying party once the user has authenticated and granted
authorization.
So yes, I agree with your definitions but would rewrite them and
clarify the intended audience. (Unfortunately 1am isn't a good time
for me to propose better wording.)
--David
On Tue, Jun 8, 2010 at 12:31 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> Many people say that OpenID is for Authentication and OAuth is for
> Authorization.
> This does not seem to be an accurate statement.
> In fact, OpenID does not do the "authentication" in the narrow meaning and
> OAuth does not do the "authorization" in the narrow meaning.
> More accurate characterization would be something like:
> OpenID is a Digital Identity Framework that that conveys the authorization
> decision and identity attributes/data of an authenticated identity from the
> identity provider (OpenID provider, OP) to a requesting party called relying
> party (RP).
> OAuth is a protocol that allows one to delegate the access authorization to
> a resource to a third party. (<= need better wording.)
> Any discussion?
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
More information about the general
mailing list