[OpenID] Openid connect and interoperability (today)

Peter Williams home_pw at msn.com
Thu Sep 26 19:05:58 UTC 2013 

>From a Nat write up (for the 7 billion of us web users who are not inherently exceptional), the idtoken seems to be a symmetrically signed jwt *in anticipated practice*. Its motivation is as an "integrity check".

If anyone is interested (in a relying party industry perspective) the RSA signed token was more interesting, when referencing a x509 cert chain. Testable by third parties during offline dispute handling, its indication enabled the client to retain and present unforgeable evidence of its authority to access/store and even snoop/share on data retrieved from certain other endpoints, concerning user x. Typically, those endpoints are not even guarded  (by access tokens)

Note , despite being a willing windows developer, I have nothing to do with Microsoft - don't be confused by the consumer centric msn.com domain name! I played with DSL-based (dsam  pop delivered) pptp VPN in 2001ish to see where the surveillance crypto politics & associated engineering was at, in the us), and the name stuck.

My assumption is that Microsoft activities with their peers here are being done in anticipation of services to be delivered in 1-2 years from now to (developer) customers  (per normal engineering cycles).

Sent from my Windows Phone
________________________________
From: Mike Jones<mailto:Michael.Jones at microsoft.com>
Sent: ‎9/‎26/‎2013 10:02 AM
To: peter williams<mailto:home_pw at msn.com>; general at openid net<mailto:general at openid.net>
Subject: RE: [OpenID] Openid connect and interoperability (today)

There's over a dozen implementations with test sites up at http://osis.idcommons.net/.  See the Solutions link and the page about the current OpenID Connect interop activities.  (We're currently in the 5th round of public interop testing.)

Best wishes,
-- Mike
________________________________
From: peter williams
Sent: 9/26/2013 7:49 AM
To: general at openid net
Subject: [OpenID] Openid connect and interoperability (today)

One more general question comes to mind. Using rsa-signed jwts, using id certs, using access tokens that reference id certs, noting the claim that google have deployed openid connect in essence, and noting that facebook apparently use an original proprietary version of openid connect, what is the state of multi-vendor openid connect deployment?

We almost licensed ping identitys openid module for their federation server, once the firm announced oauth v2 conformance and once id figured that app/plugin fever had struck in the heart of microsofts Office365 cloud service (wherein web-hosted sites can host pages that display in the outlook email client, augmenting the email page itself, as rendered by the cloud service AND where oauth-like authorization grant and vendor control practices govern plugin activation and subscription).  This seemed like a good fit...for us...allowing professional data about a "member of realty association" to augment the email addressing information.

Ping did their best  to accomodate (since they tend to be market leading and put up with me like few others do). But i was stunned to learn that oauth 2 delivered nothing of any value (to such a multi-vendor concept). The very concept was still scoped to private community devices (logically enabling controlled realty iphone apps talking to realty apis, aping facebook model of world order). Such devices (including windows toolkits making sp website into "authorized devices") would still require custom code or realty plugins even for that 5 year old world view.

While the ping deal idn't happen for some strange commercial reasons and my lack of faith that the market concept was of much importance (why do i want to ape google/facebook, being intentionally 5 years late to the party), we did go off and extend our websso so that third party authorization servers could do their thing, adding oauth2 value. Thus we let microsoft azure cloud services for oauth offer such extensibility (effectively adding yap - yet another (websso) protocol - to the  family). And duly another realty firm with native table/phone apps did connect up .. finding oauth 2 code grant flow with rsa-signed jwts "just right".

Which leads me back to the main question. Where is openid connect in practice? Is there a groundswell? Is it at the  im explosion stage still (wherein aol, yahoo, live refused to connect up...)? Is the technical profiling and core interoperability phase done? Is it at the find a vc, phase?

Perhaps want i really want to know is when will openid connect be an open system? When can i talk to office 365 using my jwts, much as i can talk to any webserver on the planet using my ssl x509 client certs?

Or is that the wrong question? Is it _supposed_ to be a closed system, like x400/x500, fully distributed but with a hierarchical connectivity mesh controlled much public phone systems connect (at a relatively few formal connection points)?


_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20130926/4a3b01ca/attachment.html>

More information about the general mailing list