[Openid-specs-ab] OpenID Connect and Identity Delegation

Tim Bray tbray at textuality.com
Thu Mar 28 18:28:50 UTC 2013


[Under my Google hat]. We use this to support what we call “hybrid apps”.
A write-up is it at
http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html

The key trick is that this is happening on Android, a sort of special case
in that (on a non-rooted phone) you can make a reliable assertion as to not
only who the user is, but which app requested the token.  There is strong
demand in the developer community for back-ends to know which apps they are
talking to.  We use azp for this purpose.  -T


On Thu, Mar 28, 2013 at 11:24 AM, Matias Woloski <matiasw at gmail.com> wrote:

> Correct. That's why I mention the scenario. Give me some more context of
> when and how I would use this.
>
>
> On Thu, Mar 28, 2013 at 3:21 PM, Brian Campbell <
> bcampbell at pingidentity.com> wrote:
>
>> That's what it says, more or less, right now.
>>
>> But how does that authorized presenter identify themselves? Or how do
>> those audiences verify it?
>>
>> Without something more, it's functionality no different than having
>> multiple audiences.
>>
>>
>>
>> On Thu, Mar 28, 2013 at 12:16 PM, Tim Bray <tbray at textuality.com> wrote:
>>
>>> I agree with Mike’s characterization. Why not include that exact
>>> sentence in the spec?
>>>
>>>
>>> On Thu, Mar 28, 2013 at 11:06 AM, Mike Jones <
>>> Michael.Jones at microsoft.com> wrote:
>>>
>>>>  An audience is a party that the token can be legally presented to.
>>>> The authorized presenter (azp) is a party that can legally present the
>>>> token to those audiences.****
>>>>
>>>> ** **
>>>>
>>>>                                                                 -- Mike
>>>> ****
>>>>
>>>> ** **
>>>>
>>>> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
>>>> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Brian Campbell
>>>> *Sent:* Thursday, March 28, 2013 11:00 AM
>>>> *To:* Matias Woloski
>>>> *Cc:* openid-specs-ab
>>>> *Subject:* Re: [Openid-specs-ab] OpenID Connect and Identity Delegation
>>>> ****
>>>>
>>>> ** **
>>>>
>>>> ** **
>>>>
>>>> On Thu, Mar 28, 2013 at 11:55 AM, Matias Woloski <matiasw at gmail.com>
>>>> wrote:****
>>>>
>>>> ** **
>>>>
>>>>    - What is the difference between having multiple audiences vs using
>>>>    azp?****
>>>>
>>>>   ** **
>>>>
>>>> FWIW, I've long had the same question.  Which is mentioned, among
>>>> others about azp, in
>>>> https://bitbucket.org/openid/connect/issue/830/what-is-azp-really  ****
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130328/429cac81/attachment.html>


More information about the Openid-specs-ab mailing list