adawes at google.com
Wed Feb 25 05:54:35 UTC 2015
This is great but I think we need to go further than to document just how
the client performs login to the AP. We've seen instances by significant
partners that the client interacts with Google to do the login and then
simply transmits this info back to their home server without any further
auth between the client and server.
Describing the technique of transmitting the ID Token between client and
home server (then validating on the home server side) to generate a session
token for the client would be very valuable. Here's a very good write-up on
what a developer needs to do:
On Wed, Dec 10, 2014 at 4:31 PM, Nat Sakimura <sakimura at gmail.com> wrote:
> Feedback welcome.
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab