[Openid-specs-ab] Fwd: [OAUTH-WG] SSO scenario

John Bradley ve7jtb at ve7jtb.com
Wed Aug 31 02:07:08 UTC 2011 

That is what the implicit flow is intended for. 

Sent from my iPhone

On 2011-08-30, at 9:21 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> Is this use case covered in the Connect?
> 
> =nat
> 
> 
> ---------- Forwarded message ----------
> From: Justin Karneges <justin at affinix.com>
> Date: Sat, Aug 27, 2011 at 8:04 AM
> Subject: [OAUTH-WG] SSO scenario
> To: oauth at ietf.org
> 
> 
> Hi folks,
> 
> I currently use a proprietary token approach to provide authentication to a
> browser widget, and I wonder if OAuth could be used to replace it.
> 
> Here's how the system currently works:
>  - website supports authenticated users (happens via username/password form)
>  - website and widget provider have a shared secret
>  - the website serves a page to the browser, containing an embed of a remote
> widget as well as a token that asserts the currently logged in user.  the
> widget takes this token and performs an ajax call to the widget provider
> server.  behold, the user is now logged in to the widget.
> 
> In trying to organize this into OAuth terms and roles, here is what I come up
> with:
>  - resource owner: the user
>  - resource server: widget provider (where the resource is generically "the
> ability to utilize the widget")
>  - client: the webpage running in the browser
>  - authorization server: the website
> 
> The website essentially serves up the client application and token in one
> shot, so the client never has to explicitly ask for a token.  However, the
> client would then take that token and use it to access a service.  The website
> and widget provider would share key material such that token validation is
> possible, but it's important to note that the two services are not owned and
> operated by the same people.
> 
> Does this seem right?  Normally when I think of OAuth, I think of a user
> giving a third-party service access to his personal stuff, but in the above flow
> I'm proposing that OAuth be used so that the user gains access to his own
> stuff.  In fact, there would be no way to access his stuff other than this
> approach, so it's not just about optional third-party access.  It's the direct
> and only access.
> 
> Would love confirmation that OAuth is appropriate for my needs, and if I have
> the roles right in that case.
> 
> Thanks,
> Justin
> _______________________________________________
> OAuth mailing list
> OAuth at ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list