[OpenID] openid connect. what is it?

Peter Williams home_pw at msn.com
Fri Sep 20 06:50:11 UTC 2013 

Oauth client website server induces users browser to visit authz endpoint. This is a websso dp which concludes websso with an idp (which does RSA baysian network tracking/identification of user devices, from  passive tracking signals  left by web standards (insecurity properties).) upon release of jwt over websso (wsfedp in our case), delegation record is registered for websso session and associated one time code goes off to website registered to vendor running oauth client.

Client (server thread, here) exchanges one time code for access token - which is another jwt blob, signed with rsa, with namid field. Its value is the nameid from websso assertion. ( In another profile, the nameid is the entire websso assertion.)

Now that I understand, being a minor variation of 30 year old x500 security services, using alternative signed blob formats and alternative chaining protocols between server agents.

If the above is oauth2, its fine. It looks pretty interoperable, based on a signed blob agreement, a naming record, and a couple of conversation protocols.

I hope I answered the first paragraph question.

If openid connect now just has the authz endpoint show an idp picker screen, this I can do (obviously). The idp must support openid, saml2, or wsfedp for websso. ( If its wsfedp, there can be a chain of issuers, any one or several of which can show the home realm selector experience).

Sent from my Windows Phone
________________________________
From: Nat Sakimura<mailto:sakimura at gmail.com>
Sent: ‎9/‎19/‎2013 11:06 PM
To: Peter Williams<mailto:home_pw at msn.com>
Cc: openid-general at lists.openid.net<mailto:openid-general at lists.openid.net>
Subject: Re: [OpenID] openid connect. what is it?

Let me then ask this: With OAuth, how did you communicate the information
about the authentication event and of the identity between the server and
client in an inter-operable manner?

In short, OpenID Connect is something that provides it.

For JW*, http://self-issued.info/ would be a good resource.

OpenID Connect has no UI at all. Selector like thing is Account Chooser,
which is another specification being worked on at OpenID Foundation.
For a basic description of what it is, perhaps you can look at
https://www.accountchooser.com/learnmore.html .

Best,

Nat


2013/9/20 Peter Williams <home_pw at msn.com>

>  Good try. But it didn't deliver the story.
>
> It said that id cert standardizes some Facebook thing (that I know nothing
> about, since Facebook is irrelevant to us).
>
> It seemed to hint at the old (pre NSA surveillance state) position, of
> making idps (or as partners) govern RP privacy policies, limiting who gets
> which sensitive claims.  In a total surveillance climate, this American
> privacy- initiatives looks silly (and deceptive even).
>
> We were left with some academic schema statements based on inverted models
> of identity (you are the attributes attached to different relations). The
> point was lost. I felt like I was learning about an isam file structure
> (without knowing why).
>
> I .was confused about the point of showcasing yet more jw* standards. All
> I guessed was that things will be day reimplement ws)secureconversation,
> perhaps, swapping byte format. This seemed to be a wap moment (having
> designed for a phone world * pre* broadband rate data plans, and handheld
> cpu/ram bigger than my university had for the entire engineering faculty.
>
> I was left with only one hint, from phone UI pictures. It was that oauth
> facilitates their being a native logon app, that supports other apps on the
> phone in that idps ecosystem. (and maybe other idp app sellers, if 2 idp
> chhose to coordinate - like all, yahoo and live in the era of I'm
>
> Just as I waited 3y for oauth to mature (and finally makes its case),
> wondering whether I should just ignore openid connect - and look again in
> 2-3 years?
>
> Sent from my Windows Phone
>  ------------------------------
> From: Nat Sakimura <sakimura at gmail.com>
> Sent: 9/19/2013 4:16 PM
> To: Peter Williams <home_pw at msn.com>
> Cc: openid-general at lists.openid.net
> Subject: Re: [OpenID] openid connect. what is it?
>
>  This page may help you understand what OpenID Connect is based on your
> understanding of OAuth.
>
>
> http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/
>
>  ID Token has been used by google for sometime.
> It's predecessor, signed request of Facebook has been used very widely as
> well.
>
>  =nat via iPhone
>
> Sep 20, 2013 7:33、Peter Williams <home_pw at msn.com> のメッセージ:
>
>   Having deployed an isp-class oauth service, I feel I know what OAUTH is
> (finally). Rather than have an embedded authentication website, it does
> websso to an IDP. In other words, the AS is itself an websso SP.
>
> Now, I understand that a few tweaks of messages in OAUTH allows that
> AS-webssoSP bridge to invoke a selector screen - by which users choose IDPs
> from a list. And, I understand that the OAUTH tweaks might indicate which
> of several IDP lists to use, where a OAUTH IDP-class service can tune-its
> self up to offer multiple private label experiences, selected by some or
> other label sent in an OAUTH message.
>
> Is that ALL opened "connect" is? (a way of hosting lots of identity
> selector pages, together with the config of the IDP metadata, etc; and a
> way of choosing which page of selections to present)?
>
> Ive also seen hints that "companion" JWTs  might accompany the access
> token. Known as id-tokens, they don't actually seem to exist in the wild
> (not having escaped the paper lab, yet). As far as I can tell, they are
> just JWTs with more than the nameid claim, thereby avoiding a per-IDP API
> call (just to collect a yahoo API's vs facebook APIs member record
> claimset).
>
> Is this opened connect?
>
> I've also seen hints that the companion JWT is supposed to be a mobile
> account-linking record; similar to the old account linking service elements
> of OASIS. is this opened connect? If there is "evidence" that several
> access tokens all relate to a common persistent name (ahem XRD id, for
> structured names) represented by the id-token, is this openid connect?
>
>
>
>
>
>  _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>


--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20130919/3c5f5850/attachment.html>

More information about the general mailing list