[OpenID] openid connect. what is it?
Peter Williams
home_pw at msn.com
Thu Sep 19 22:33:30 UTC 2013
Having deployed an isp-class oauth service, I feel I know what OAUTH is (finally). Rather than have an embedded authentication website, it does websso to an IDP. In other words, the AS is itself an websso SP.
Now, I understand that a few tweaks of messages in OAUTH allows that AS-webssoSP bridge to invoke a selector screen - by which users choose IDPs from a list. And, I understand that the OAUTH tweaks might indicate which of several IDP lists to use, where a OAUTH IDP-class service can tune-its self up to offer multiple private label experiences, selected by some or other label sent in an OAUTH message.
Is that ALL opened "connect" is? (a way of hosting lots of identity selector pages, together with the config of the IDP metadata, etc; and a way of choosing which page of selections to present)?
Ive also seen hints that "companion" JWTs might accompany the access token. Known as id-tokens, they don't actually seem to exist in the wild (not having escaped the paper lab, yet). As far as I can tell, they are just JWTs with more than the nameid claim, thereby avoiding a per-IDP API call (just to collect a yahoo API's vs facebook APIs member record claimset).
Is this opened connect?
I've also seen hints that the companion JWT is supposed to be a mobile account-linking record; similar to the old account linking service elements of OASIS. is this opened connect? If there is "evidence" that several access tokens all relate to a common persistent name (ahem XRD id, for structured names) represented by the id-token, is this openid connect?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20130919/50131dad/attachment.html>
More information about the general
mailing list