[Openid-specs-ab] browserid

Salvatore D'Agostino sal at idmachines.com
Sun Jul 17 19:43:30 UTC 2011

John B,


I like the smart client options.




From: John Bradley [mailto:ve7jtb at ve7jtb.com] 
Sent: Saturday, July 16, 2011 12:34 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] browserid


Links for those that haven't looked yet.





They are using asymmetrically signed JWT with an introspection endpoint.


There are limitations on attributes, identifiers and other serious issues
with what Mozzila is proposing.


Though it is relatively close to what Nat and I were thinking with
asymmetrically signed id_tokens, and a introspection endpoint.


In some ways our flow would be simpler if the id_tokens were always
asymmetrically signed and anyone not supporting that uses the introspection


If the RP doesn't understand asymmetric signatures it just throws to the
introspection endpoint.  

The big advantage is for smart clients.  They would not need to manage
shared secrets to validate tokens.


For a smart client I suppose that you could let it generate it's own access
tokens if those access tokens are JWT and they wrap a JWT containing the
client's public key and some scope constraints etc.   In principal that
could lower the IdP's authorization load, however I don't know if it would
be worth it.


Just some things to think about.


John B.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110717/4fcb7878/attachment.html>

More information about the Openid-specs-ab mailing list