<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div>
<div style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">Good try. But it didn't deliver the story.<br>
<br>
It said that id cert standardizes some Facebook thing (that I know nothing about, since Facebook is irrelevant to us).<br>
<br>
It seemed to hint at the old (pre NSA surveillance state) position, of making idps (or as partners) govern RP privacy policies, limiting who gets which sensitive claims. In a total surveillance climate, this American privacy- initiatives looks silly (and deceptive
even).<br>
<br>
We were left with some academic schema statements based on inverted models of identity (you are the attributes attached to different relations). The point was lost. I felt like I was learning about an isam file structure (without knowing why).<br>
<br>
I .was confused about the point of showcasing yet more jw* standards. All I guessed was that things will be day reimplement ws)secureconversation, perhaps, swapping byte format. This seemed to be a wap moment (having designed for a phone world * pre* broadband
rate data plans, and handheld cpu/ram bigger than my university had for the entire engineering faculty.<br>
<br>
I was left with only one hint, from phone UI pictures. It was that oauth facilitates their being a native logon app, that supports other apps on the phone in that idps ecosystem. (and maybe other idp app sellers, if 2 idp chhose to coordinate - like all, yahoo
and live in the era of I'm<br>
<br>
Just as I waited 3y for oauth to mature (and finally makes its case), wondering whether I should just ignore openid connect - and look again in 2-3 years?<br>
<br>
Sent from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">From:
</span><span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif"><a href="mailto:sakimura@gmail.com">Nat Sakimura</a></span><br>
<span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">Sent:
</span><span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">9/19/2013 4:16 PM</span><br>
<span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">To:
</span><span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif"><a href="mailto:home_pw@msn.com">Peter Williams</a></span><br>
<span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">Cc:
</span><span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif"><a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a></span><br>
<span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">Subject:
</span><span style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">Re: [OpenID] openid connect. what is it?</span><br>
<br>
</div>
<div dir="auto">
<div style="">This page may help you understand what OpenID Connect is based on your understanding of OAuth. </div>
<div style=""><br>
</div>
<div style=""><span style="font-family:'.HelveticaNeueUI'; font-size:15px; line-height:19px; white-space:nowrap"><a href="http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/">http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/</a></span></div>
<div><font face=".HelveticaNeueUI"><span style="font-size:15px; line-height:19px; white-space:nowrap"><br>
</span></font></div>
<div><span style="">ID Token has been used by google for sometime. </span></div>
<div><span style="">It's predecessor, signed request of Facebook has been used very widely as well. </span></div>
<div><span style=""><br>
</span></div>
<div><span style="">=nat via iPhone</span></div>
<div style=""><br>
Sep 20, 2013 7:33、Peter Williams <<a href="mailto:home_pw@msn.com">home_pw@msn.com</a>> のメッセージ:<br>
<br>
</div>
<blockquote type="cite" style="">
<div><style>
<!--
.x_hmmessage
{margin:0px;
padding:0px}
body.x_hmmessage
{font-size:12pt;
font-family:Calibri}
-->
</style>
<div dir="ltr">Having deployed an isp-class oauth service, I feel I know what OAUTH is (finally). Rather than have an embedded authentication website, it does websso to an IDP. In other words, the AS is itself an websso SP.<br>
<br>
Now, I understand that a few tweaks of messages in OAUTH allows that AS-webssoSP bridge to invoke a selector screen - by which users choose IDPs from a list. And, I understand that the OAUTH tweaks might indicate which of several IDP lists to use, where a OAUTH
IDP-class service can tune-its self up to offer multiple private label experiences, selected by some or other label sent in an OAUTH message.<br>
<br>
Is that ALL opened "connect" is? (a way of hosting lots of identity selector pages, together with the config of the IDP metadata, etc; and a way of choosing which page of selections to present)?<br>
<br>
Ive also seen hints that "companion" JWTs might accompany the access token. Known as id-tokens, they don't actually seem to exist in the wild (not having escaped the paper lab, yet). As far as I can tell, they are just JWTs with more than the nameid claim,
thereby avoiding a per-IDP API call (just to collect a yahoo API's vs facebook APIs member record claimset).<br>
<br>
Is this opened connect?<br>
<br>
I've also seen hints that the companion JWT is supposed to be a mobile account-linking record; similar to the old account linking service elements of OASIS. is this opened connect? If there is "evidence" that several access tokens all relate to a common persistent
name (ahem XRD id, for structured names) represented by the id-token, is this openid connect?<br>
<br>
<br>
<br>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite" style="">
<div><span>_______________________________________________</span><br>
<span>general mailing list</span><br>
<span><a href="mailto:general@lists.openid.net">general@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a></span><br>
</div>
</blockquote>
</div>
</body>
</html>