[Openid-specs-ab] browserid

John Bradley ve7jtb at ve7jtb.com
Sat Jul 16 16:34:16 UTC 2011

Links for those that haven't looked yet.

> https://browserid.org/
> http://arstechnica.com/web/news/2011/07/mozillas-browserid-aims-to-simplify-authentication-on-the-web.ars

They are using asymmetrically signed JWT with an introspection endpoint.

There are limitations on attributes, identifiers and other serious issues with what Mozzila is proposing.

Though it is relatively close to what Nat and I were thinking with asymmetrically signed id_tokens, and a introspection endpoint.

In some ways our flow would be simpler if the id_tokens were always asymmetrically signed and anyone not supporting that uses the introspection endpoint.

If the RP doesn't understand asymmetric signatures it just throws to the introspection endpoint.  
The big advantage is for smart clients.  They would not need to manage shared secrets to validate tokens.

For a smart client I suppose that you could let it generate it's own access tokens if those access tokens are JWT and they wrap a JWT containing the client's public key and some scope constraints etc.   In principal that could lower the IdP's authorization load, however I don't know if it would be worth it.

Just some things to think about.

John B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110716/c1b96421/attachment.html>

More information about the Openid-specs-ab mailing list