[Openid-specs-ab] Fwd: [OAUTH-WG] SSO scenario

Nat Sakimura sakimura at gmail.com
Wed Aug 31 02:35:23 UTC 2011 

Perhaps we should inform him.

=nat via iPhone

On 2011/08/31, at 11:07, John Bradley <ve7jtb at ve7jtb.com> wrote:

> That is what the implicit flow is intended for.
>
> Sent from my iPhone
>
> On 2011-08-30, at 9:21 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>
>> Is this use case covered in the Connect?
>>
>> =nat
>>
>>
>> ---------- Forwarded message ----------
>> From: Justin Karneges <justin at affinix.com>
>> Date: Sat, Aug 27, 2011 at 8:04 AM
>> Subject: [OAUTH-WG] SSO scenario
>> To: oauth at ietf.org
>>
>>
>> Hi folks,
>>
>> I currently use a proprietary token approach to provide authentication to a
>> browser widget, and I wonder if OAuth could be used to replace it.
>>
>> Here's how the system currently works:
>> - website supports authenticated users (happens via username/password form)
>> - website and widget provider have a shared secret
>> - the website serves a page to the browser, containing an embed of a remote
>> widget as well as a token that asserts the currently logged in user.  the
>> widget takes this token and performs an ajax call to the widget provider
>> server.  behold, the user is now logged in to the widget.
>>
>> In trying to organize this into OAuth terms and roles, here is what I come up
>> with:
>> - resource owner: the user
>> - resource server: widget provider (where the resource is generically "the
>> ability to utilize the widget")
>> - client: the webpage running in the browser
>> - authorization server: the website
>>
>> The website essentially serves up the client application and token in one
>> shot, so the client never has to explicitly ask for a token.  However, the
>> client would then take that token and use it to access a service.  The website
>> and widget provider would share key material such that token validation is
>> possible, but it's important to note that the two services are not owned and
>> operated by the same people.
>>
>> Does this seem right?  Normally when I think of OAuth, I think of a user
>> giving a third-party service access to his personal stuff, but in the above flow
>> I'm proposing that OAuth be used so that the user gains access to his own
>> stuff.  In fact, there would be no way to access his stuff other than this
>> approach, so it's not just about optional third-party access.  It's the direct
>> and only access.
>>
>> Would love confirmation that OAuth is appropriate for my needs, and if I have
>> the roles right in that case.
>>
>> Thanks,
>> Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth at ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list