<div dir="ltr">Let me then ask this: With OAuth, how did you communicate the information about the authentication event and of the identity between the server and client in an inter-operable manner? <div><br></div><div>In short, OpenID Connect is something that provides it. <div>
<br></div><div>For JW*, <a href="http://self-issued.info/">http://self-issued.info/</a> would be a good resource. </div><div><br></div><div>OpenID Connect has no UI at all. Selector like thing is Account Chooser, which is another specification being worked on at OpenID Foundation. </div>
<div>For a basic description of what it is, perhaps you can look at <a href="https://www.accountchooser.com/learnmore.html">https://www.accountchooser.com/learnmore.html</a> . </div><div><br></div><div>Best, </div><div><br>
</div><div>Nat</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/9/20 Peter Williams <span dir="ltr"><<a href="mailto:home_pw@msn.com" target="_blank">home_pw@msn.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">Good try. But it didn't deliver the story.<br>
<br>
It said that id cert standardizes some Facebook thing (that I know nothing about, since Facebook is irrelevant to us).<br>
<br>
It seemed to hint at the old (pre NSA surveillance state) position, of making idps (or as partners) govern RP privacy policies, limiting who gets which sensitive claims. In a total surveillance climate, this American privacy- initiatives looks silly (and deceptive
even).<br>
<br>
We were left with some academic schema statements based on inverted models of identity (you are the attributes attached to different relations). The point was lost. I felt like I was learning about an isam file structure (without knowing why).<br>
<br>
I .was confused about the point of showcasing yet more jw* standards. All I guessed was that things will be day reimplement ws)secureconversation, perhaps, swapping byte format. This seemed to be a wap moment (having designed for a phone world * pre* broadband
rate data plans, and handheld cpu/ram bigger than my university had for the entire engineering faculty.<br>
<br>
I was left with only one hint, from phone UI pictures. It was that oauth facilitates their being a native logon app, that supports other apps on the phone in that idps ecosystem. (and maybe other idp app sellers, if 2 idp chhose to coordinate - like all, yahoo
and live in the era of I'm<br>
<br>
Just as I waited 3y for oauth to mature (and finally makes its case), wondering whether I should just ignore openid connect - and look again in 2-3 years?<br>
<br>
Sent from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">From:
</span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:sakimura@gmail.com" target="_blank">Nat Sakimura</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Sent:
</span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">9/19/2013 4:16 PM</span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">To:
</span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:home_pw@msn.com" target="_blank">Peter Williams</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Cc:
</span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:openid-general@lists.openid.net" target="_blank">openid-general@lists.openid.net</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Subject:
</span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">Re: [OpenID] openid connect. what is it?</span><br>
<br>
</div><div><div class="h5">
<div dir="auto">
<div>This page may help you understand what OpenID Connect is based on your understanding of OAuth. </div>
<div><br>
</div>
<div><span style="font-family:'.HelveticaNeueUI';font-size:15px;line-height:19px;white-space:nowrap"><a href="http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/" target="_blank">http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/</a></span></div>
<div><font face=".HelveticaNeueUI"><span style="font-size:15px;line-height:19px;white-space:nowrap"><br>
</span></font></div>
<div><span>ID Token has been used by google for sometime. </span></div>
<div><span>It's predecessor, signed request of Facebook has been used very widely as well. </span></div>
<div><span><br>
</span></div>
<div><span>=nat via iPhone</span></div>
<div><br>
Sep 20, 2013 7:33�$B!"�(BPeter Williams <<a href="mailto:home_pw@msn.com" target="_blank">home_pw@msn.com</a>> �$B$N%a%C%;!<%8�(B:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">Having deployed an isp-class oauth service, I feel I know what OAUTH is (finally). Rather than have an embedded authentication website, it does websso to an IDP. In other words, the AS is itself an websso SP.<br>
<br>
Now, I understand that a few tweaks of messages in OAUTH allows that AS-webssoSP bridge to invoke a selector screen - by which users choose IDPs from a list. And, I understand that the OAUTH tweaks might indicate which of several IDP lists to use, where a OAUTH
IDP-class service can tune-its self up to offer multiple private label experiences, selected by some or other label sent in an OAUTH message.<br>
<br>
Is that ALL opened "connect" is? (a way of hosting lots of identity selector pages, together with the config of the IDP metadata, etc; and a way of choosing which page of selections to present)?<br>
<br>
Ive also seen hints that "companion" JWTs might accompany the access token. Known as id-tokens, they don't actually seem to exist in the wild (not having escaped the paper lab, yet). As far as I can tell, they are just JWTs with more than the nameid claim,
thereby avoiding a per-IDP API call (just to collect a yahoo API's vs facebook APIs member record claimset).<br>
<br>
Is this opened connect?<br>
<br>
I've also seen hints that the companion JWT is supposed to be a mobile account-linking record; similar to the old account linking service elements of OASIS. is this opened connect? If there is "evidence" that several access tokens all relate to a common persistent
name (ahem XRD id, for structured names) represented by the id-token, is this openid connect?<br>
<br>
<br>
<br>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>general mailing list</span><br>
<span><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a></span><br>
</div>
</blockquote>
</div>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>