[OpenID] Current state of OpenID & federated logins in general

Fri Sep 13 01:15:57 UTC 2013

In a gesture to the work of this community, and giving thanks to ping identity for teaching me how (to emulate their server using Microsoft azure ACS identity platform for oauth2, wstrust to Microsoft office APIs, and wsfedetation for browser), we made our cloud stuff available to a million us realtors, just this week. This was our (cryptopolitics-free) contribution to the us national strategy. If a tiny firm can have that much reach, so can you.

Now to a criticism (of standards). Millions of websites already talk oauth2 (to yahoo, google, salesgorce), but they cannot talk to us.... Since this not an open standard  but a closed community concept.

Knowing this, we deployed some actually open systems in parallel. Signed jwts with nameids (for use at jwt enabled apis(are there any?))  are optionally accompanied by encrypted saml1 (asymmetric) proof token, bearing lots of attributes and usable with wssecurity spis (thanks to years of Microsoft/ibm/Verisign/oracle... Interworking efforts).

So yes openid succeded  in a way. It told us when the market was ready (for commoditization).

While there are lots of

Sent from my Windows Phone
________________________________
From: Nat Sakimura<mailto:sakimura at gmail.com>
Sent: ‎9/‎12/‎2013 5:37 PM
To: Paul Johnston<mailto:paj at pajhome.org.uk>
Cc: openid-general at lists.openid.net<mailto:openid-general at lists.openid.net>
Subject: Re: [OpenID] Current state of OpenID & federated logins in general

Just a few notes.

Google's "OAuth Login" actually is OpenID Connect.

Salesforce recently announced the start of support for OpenID Connect.

Paypal is now using OpenID Connect, so does bunch of others. Many of them are waiting for OpenID Connect to finalize.

If you are using Amazon, you are using OpenID 2.0.

Many of the use cases are within closed ecosystems, so it might feel that it is not a federation though technically it is.

Proper federated login has not taken off. The de facto federation mechanism is password sharing, which is a threat to the internet's safety.

OAuth 'federation' is becoming somewhat popular because the client can suck the personal data. Many implementations actually does not give much security that an SSO really requires because of that's not a priority for these sites.

=nat via iPhone

Sep 13, 2013 0:30、Paul Johnston <paj at pajhome.org.uk> のメッセージ:

> Hi,
>
> I'm looking for an informed view on the current state of OpenID and related technologies. What I've picked up is:
>
> 1) Many major web presences (Google, Facebook, etc.) will be identity providers, but favor schemes based on OAuth 2.
> 2) Some web sites do allow federated login, but it's still a minority.
> 3) It is technically difficult to add federated login support to a website. Even where a good library exists (e.g. Spring Social) a lot of work is needed.
> 4) With OAuth systems, if my website wants to allow logins from a particular identity provider, I have to register my website with the identity provider in advance.
> 5) Use of OpenID is now rare.
>
> This is just what I've picked up; I'd welcome a more informed view.
>
> Personally, I am quite disheartened by the situation. I think we desperately need a better system of online identity, and OpenID would do the job. The requirement in OAuth for service provider to preregister with identity provider doesn't fit the open nature of OpenID. It's much more geared to a world where everyone uses one of the major providers; no chance of running your own OAuth provider on your own web server.
>
> Thoughts welcome,
>
> Paul
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20130912/c6782fab/attachment.html>