[OpenID] openid connect. what is it?

Nat Sakimura sakimura at gmail.com
Fri Sep 20 06:06:07 UTC 2013 

Let me then ask this: With OAuth, how did you communicate the information
about the authentication event and of the identity between the server and
client in an inter-operable manner?

In short, OpenID Connect is something that provides it.

For JW*, http://self-issued.info/ would be a good resource.

OpenID Connect has no UI at all. Selector like thing is Account Chooser,
which is another specification being worked on at OpenID Foundation.
For a basic description of what it is, perhaps you can look at
https://www.accountchooser.com/learnmore.html .

Best,

Nat


2013/9/20 Peter Williams <home_pw at msn.com>

>  Good try. But it didn't deliver the story.
>
> It said that id cert standardizes some Facebook thing (that I know nothing
> about, since Facebook is irrelevant to us).
>
> It seemed to hint at the old (pre NSA surveillance state) position, of
> making idps (or as partners) govern RP privacy policies, limiting who gets
> which sensitive claims.  In a total surveillance climate, this American
> privacy- initiatives looks silly (and deceptive even).
>
> We were left with some academic schema statements based on inverted models
> of identity (you are the attributes attached to different relations). The
> point was lost. I felt like I was learning about an isam file structure
> (without knowing why).
>
> I .was confused about the point of showcasing yet more jw* standards. All
> I guessed was that things will be day reimplement ws)secureconversation,
> perhaps, swapping byte format. This seemed to be a wap moment (having
> designed for a phone world * pre* broadband rate data plans, and handheld
> cpu/ram bigger than my university had for the entire engineering faculty.
>
> I was left with only one hint, from phone UI pictures. It was that oauth
> facilitates their being a native logon app, that supports other apps on the
> phone in that idps ecosystem. (and maybe other idp app sellers, if 2 idp
> chhose to coordinate - like all, yahoo and live in the era of I'm
>
> Just as I waited 3y for oauth to mature (and finally makes its case),
> wondering whether I should just ignore openid connect - and look again in
> 2-3 years?
>
> Sent from my Windows Phone
>  ------------------------------
> From: Nat Sakimura <sakimura at gmail.com>
> Sent: 9/19/2013 4:16 PM
> To: Peter Williams <home_pw at msn.com>
> Cc: openid-general at lists.openid.net
> Subject: Re: [OpenID] openid connect. what is it?
>
>  This page may help you understand what OpenID Connect is based on your
> understanding of OAuth.
>
>
> http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/
>
>  ID Token has been used by google for sometime.
> It's predecessor, signed request of Facebook has been used very widely as
> well.
>
>  =nat via iPhone
>
> Sep 20, 2013 7:33、Peter Williams <home_pw at msn.com> のメッセージ:
>
>   Having deployed an isp-class oauth service, I feel I know what OAUTH is
> (finally). Rather than have an embedded authentication website, it does
> websso to an IDP. In other words, the AS is itself an websso SP.
>
> Now, I understand that a few tweaks of messages in OAUTH allows that
> AS-webssoSP bridge to invoke a selector screen - by which users choose IDPs
> from a list. And, I understand that the OAUTH tweaks might indicate which
> of several IDP lists to use, where a OAUTH IDP-class service can tune-its
> self up to offer multiple private label experiences, selected by some or
> other label sent in an OAUTH message.
>
> Is that ALL opened "connect" is? (a way of hosting lots of identity
> selector pages, together with the config of the IDP metadata, etc; and a
> way of choosing which page of selections to present)?
>
> Ive also seen hints that "companion" JWTs  might accompany the access
> token. Known as id-tokens, they don't actually seem to exist in the wild
> (not having escaped the paper lab, yet). As far as I can tell, they are
> just JWTs with more than the nameid claim, thereby avoiding a per-IDP API
> call (just to collect a yahoo API's vs facebook APIs member record
> claimset).
>
> Is this opened connect?
>
> I've also seen hints that the companion JWT is supposed to be a mobile
> account-linking record; similar to the old account linking service elements
> of OASIS. is this opened connect? If there is "evidence" that several
> access tokens all relate to a common persistent name (ahem XRD id, for
> structured names) represented by the id-token, is this openid connect?
>
>
>
>
>
>  _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20130920/2a745c82/attachment.html>

More information about the general mailing list