[OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams home_pw at msn.com
Thu Oct 18 20:06:21 UTC 2012 

Thankyou but no. General comment is my limit, given the wider implications of membership, etc. General comment is what this list is for.

 

But, to be fair to Google, I did conclude my original idea (simply making wordpress talk to an IDP, leveraging the Account Chooser intermediation, with auto-account creation). I wrote up my own little efforts at a trial at http://wp.me/p1fcz8-30a. It says... the technology works. Then some of the implications of “working” integration are explored, without being academic.

 

If I was more sociable, perhaps Id have been on some Account Chooser or wordpress plugin list that could have given direction, earlier. At the same time, by operating blind, its been useful to view the integration very skeptically. Questioning the policy implications of the intermediation service came about from the nature of the technology integration itself, being obvious. I’m left with a stronger question to now ask: would I want it (now it works)?

 

Its been a little unfair to target to Google and so publicly be critical - since their enforcement technology is so clearly well done (and its all probably still formally a beta rollout). Clearly, national-scale mandatory security policy enforcement via websso has take a strong leap forward.  The questions now are: are the TTPs policy rules right? Where is involvement of a TTP-class IDP or IDP trust broker even appropriate?

 

Do any other vendors have public trials? Id like to figure if the policy enforcement is essential to the opened connect concept, or its just a google value add (for its business model).  If I think back to our  first efforts with SAML, the VERY first thing we did was abandon the Shibboleth community’s policy control concept...the abandonment of which turned out crucial for the adoption of websso in a more decentralized (and economically vital) community with a strong aversion to centralized policy management ... of ANY kind. The same kinds of questions are increasingly pertinent for opened connect, evidently.

 

Sent from Windows Mail


From: Nat Sakimura
Sent: ‎October‎ ‎17‎, ‎2012 ‎6‎:‎44‎ ‎PM
To: Peter Williams
CC: openid-general at lists.openid.net
Subject: Re: [OpenID] One developer's first encounter with account chooser (openid connect?)


Perhaps you can join Account Chooser WG and give your formal feedback so that the WG can incorporate them? 



Nat


On Thu, Oct 18, 2012 at 4:03 AM, Peter Williams <home_pw at msn.com> wrote:





In a word: frustrating. http://wp.me/p1fcz8-2YW. It was frustrating on multiple levels.
 
Obviously the code is fixable, but one worries about the very "idea" - there seems a desperation in the desire to remove local IDPs - including those granting access to privileged administrator configuring (broken) federated logon!
 
To be fair, the default Microsoft ASP.NET web app project built by the released version of visual studio 20102 doesn't work, either - when taking up the federated (OAUTH/openid) login option and its display of a set of IDPs, configured locally. It doesn't even compile, link and load! Thus, I have not even so far as work with its attempt to showcase Openid Connect, or see if things interwork yet with Google's implementation, etc.
 

Sent from Windows Mail


_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general






-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20121018/9563bb9c/attachment.html>

More information about the general mailing list