[Openid-specs-ab] Marketing OpenID: combatting negativity

Tom Jones thomasclinganjones at gmail.com
Wed Jan 30 00:50:34 UTC 2019 

I would like to see hans' work succeed. I am not currently in a position to
try to evaluate it.
Peace ..tom


On Tue, Jan 29, 2019 at 1:57 PM Hans Zandbelt <hans.zandbelt at zmartzone.eu>
wrote:

> FWIW: not requiring dynamic client registration for the OIDC RP
> certification suite an existing enhancement request with a fairly simple
> command-line workaround for the time being:
> https://github.com/openid-certification/oidctest/issues/15
>
> Hans.
>
> On Tue, Jan 29, 2019 at 8:40 PM Tom Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> FWIW i tried to address this by building a .NET library on core 1.1 for
>> relying parties. The big problem for me was the certification as the
>> existing .NET tooling did not support dynamic registration. When i tried to
>> load that solution library into the MSFT samples, they had changed to .net
>> core 2.0 and were not interested in a core 1.1 implementation. Now they are
>> on to .net core 3.0. Identity mgmt is in a state of flux and the w3c ccg is
>> not helping to stabilize the situation at all. While its hard to know how
>> the openID foundation can help, i would recommend considering a
>> certification test suite that did not depend on dynamic registration.
>>
>> In the meantime, i am trying to build a openid self issued ID open source
>> solution compatible with the w3c ccg, to see if that can bring the two
>> together.
>>
>> Peace ..tom
>>
>>
>> On Tue, Jan 29, 2019 at 12:18 PM Mike Jones via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> For what it’s worth, I thought the article
>>> https://developer.okta.com/blog/2019/01/23/nobody-cares-about-oauth-or-openid-connect
>>> was mostly positive for OAuth and OpenID Connect (once you get past the
>>> title).  Remember that unlike OpenID 2.0, we haven’t tried to make “OpenID
>>> Connect” a consumer brand.  In fact, when we present about OpenID Connect,
>>> we typically remind people that they’re probably using OpenID Connect, even
>>> though they may not know it.  For instance, Slide 4 of
>>> http://self-issued.info/presentations/OpenID_Connect_Introduction_23-Oct-18.pdf
>>> says:
>>>
>>> *You’re probably already using OpenID Connect!*
>>>
>>>    - If you have an Android phone or log in at AOL, Deutsche Telekom,
>>>    Google, Microsoft, NEC, NTT, Salesforce, Softbank, Symantec, Verizon, or
>>>    Yahoo! Japan, you’re already using OpenID Connect
>>>    - Many other sites and apps large and small also use OpenID Connect
>>>
>>>
>>>
>>> I thought that this part of the article was dead-on:
>>>
>>> The reason nobody cares about OAuth and OIDC is that OAuth and OIDC
>>> aren’t what developers are interested in. The only thing developers are
>>> *actually* interested in is what OAuth and OIDC help with, *authentication
>>> and authorization*.
>>>
>>>
>>>
>>> 99.99% of developers out there don’t know (or want to know) anything
>>> about OAuth, OIDC, or any other security specifications. All they want to
>>> do is find the simplest and most straightforward way to support user
>>> authentication and authorization in their application. They don’t care
>>> about standards, specifications, grant types, JWTs, or scopes and timeouts
>>> – all they want to do is log a user in and check to see what permissions
>>> they have.
>>>
>>>
>>>
>>> To be clear, Okta advertised their allegiance to OpenID Connect here
>>> (and in their OpenID Certifications
>>> <https://openid.net/certification/#OPs>):
>>>
>>> With the state of tooling right now, web developers are essentially
>>> *forced* to learn about OAuth and OIDC and are burdened with the need
>>> to understand how these standards work and how to (hopefully) apply them
>>> properly to their application. It isn’t a great system.
>>>
>>>
>>>
>>> This is one of the reasons why, here at Okta
>>> <https://developer.okta.com/>, even though our entire platform is built
>>> on top of OAuth and OIDC, we spend tons of time and effort trying to build
>>> abstractions (in the form of client libraries) to hide those complexities
>>> and make securing your web applications simpler.
>>>
>>>
>>>
>>> I also agree with the gist of this conclusion:
>>>
>>> While OAuth and OIDC are certainly useful and important, the reality of
>>> the situation today is that almost nobody cares about OAuth and OIDC.
>>> Developers don’t want more OAuth and OIDC libraries and documentation in
>>> their lives: they want less of it.
>>>
>>>
>>>
>>> The easier that we can all make it for developers to securely use OpenID
>>> Connect, the better everyone.  That’s always been the goal!
>>>
>>>
>>>
>>>                                                        -- Mike
>>>
>>>
>>>
>>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
>>> Behalf Of *Nat Sakimura via Openid-specs-ab
>>> *Sent:* Monday, January 28, 2019 3:43 PM
>>> *To:* Artifact Binding/Connect Working Group <
>>> openid-specs-ab at lists.openid.net>
>>> *Cc:* Nat Sakimura <sakimura at gmail.com>; Mike Schwartz <mike at gluu.org>
>>> *Subject:* Re: [Openid-specs-ab] Marketing OpenID: combatting negativity
>>>
>>>
>>>
>>> Mike,
>>>
>>>
>>>
>>> +1 on running inter-linked blog and vlog posts.
>>>
>>>
>>>
>>> +1 also for positioning OpenID is fun and easy. The "easy" part is a bit
>>> an overstatement but it is clinically proven that if people were told that
>>> it is hard, they will absolutely stop learning.
>>>
>>>
>>>
>>> Nat
>>>
>>>
>>>
>>> On Sun, Jan 27, 2019 at 9:02 PM Mike Schwartz via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>
>>> I think to go head-to-head with the negative OpenID press, we need to
>>> market a message something to the effect of:
>>>
>>> "Using OpenID is great fun, and it solves real problems for developers."
>>>
>>> You can't combat negativivity with a message of: "the detractors have a
>>> point".
>>>
>>> We have the brain trust in this community to get that message out. If
>>> everyone wrote one blog, and we all cross-promote on social media (i.e.
>>> more of what Nat is doing so brilliantly on Youtube...), I think we
>>> could make a dent in perceptions. Especially if we tap into the
>>> corporate marketing cabailities of our respective organizations.
>>>
>>> - Mike
>>>
>>>
>>> -----------
>>> Michael Schwartz
>>> Gluu
>>> Founder / CEO
>>> mike at gluu.org
>>> https://www.linkedin.com/in/nynymike/
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Nat Sakimura (=nat)
>>>
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
> --
> hans.zandbelt at zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190129/97effd15/attachment.html>

More information about the Openid-specs-ab mailing list