<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="-webkit-text-size-adjust: auto; ">This page may help you understand what OpenID Connect is based on your understanding of OAuth. </div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; "><span style="font-family: '.HelveticaNeueUI'; font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-text-size-adjust: none; "><a href="http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/">http://nat.sakimura.org/2013/07/05/identity-authentication-oauth-openid-connect/</a></span></div><div><font face=".HelveticaNeueUI"><span style="font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469);"><br></span></font></div><div><span style="-webkit-text-size-adjust: auto;">ID Token has been used by google for sometime. </span></div><div><span style="-webkit-text-size-adjust: auto;">It's predecessor, signed request of Facebook has been used very widely as well. </span></div><div><span style="-webkit-text-size-adjust: auto;"><br></span></div><div><span style="-webkit-text-size-adjust: auto;">=nat via iPhone</span></div><div style="-webkit-text-size-adjust: auto; "><br>Sep 20, 2013 7:33、Peter Williams <<a href="mailto:home_pw@msn.com">home_pw@msn.com</a>> のメッセージ:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto; "><div>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">Having deployed an isp-class oauth service, I feel I know what OAUTH is (finally). Rather than have an embedded authentication website, it does websso to an IDP. In other words, the AS is itself an websso SP.<br> <br>Now, I understand that a few tweaks of messages in OAUTH allows that AS-webssoSP bridge to invoke a selector screen - by which users choose IDPs from a list. And, I understand that the OAUTH tweaks might indicate which of several IDP lists to use, where a OAUTH IDP-class service can tune-its self up to offer multiple private label experiences, selected by some or other label sent in an OAUTH message.<br> <br>Is that ALL opened "connect" is? (a way of hosting lots of identity selector pages, together with the config of the IDP metadata, etc; and a way of choosing which page of selections to present)?<br> <br>Ive also seen hints that "companion" JWTs might accompany the access token. Known as id-tokens, they don't actually seem to exist in the wild (not having escaped the paper lab, yet). As far as I can tell, they are just JWTs with more than the nameid claim, thereby avoiding a per-IDP API call (just to collect a yahoo API's vs facebook APIs member record claimset).<br> <br>Is this opened connect?<br> <br>I've also seen hints that the companion JWT is supposed to be a mobile account-linking record; similar to the old account linking service elements of OASIS. is this opened connect? If there is "evidence" that several access tokens all relate to a common persistent name (ahem XRD id, for structured names) represented by the id-token, is this openid connect?<br> <br> <br> <br> <br> </div>
</div></blockquote><blockquote type="cite" style="-webkit-text-size-adjust: auto; "><div><span>_______________________________________________</span><br><span>general mailing list</span><br><span><a href="mailto:general@lists.openid.net">general@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a></span><br></div></blockquote></body></html>