[Openid-specs-ab] Javascript coockbook

Nat Sakimura sakimura at gmail.com
Wed Feb 25 06:11:28 UTC 2015


I guess it will be a separate document / page.

If the app has a server component which can be confidential, then it should
either use code flow or hybrid flow, IMHO.
The in-browser client and the PHP app on the server would have different
client ID, and ID Tokens are issued to them separately.

2015-02-25 14:54 GMT+09:00 Adam Dawes <adawes at google.com>:

> This is great but I think we need to go further than to document just how
> the client performs login to the AP. We've seen instances by significant
> partners that the client interacts with Google to do the login and then
> simply transmits this info back to their home server without any further
> auth between the client and server.
>
> Describing the technique of transmitting the ID Token between client and
> home server (then validating on the home server side) to generate a session
> token for the client would be very valuable. Here's a very good write-up on
> what a developer needs to do:
>
>
> http://www.riskcompletefailure.com/2013/11/client-server-authentication-with-id.html
>
> On Wed, Dec 10, 2014 at 4:31 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>
>> Hi,
>>
>> Here is a first rough cut of the Javascript cookbook.
>>
>> https://bitbucket.org/Nat/openid-cookbook/wiki/Javascript%20Cookbook
>>
>> Feedback welcome.
>>
>> Best,
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150225/bc3911f2/attachment.html>


More information about the Openid-specs-ab mailing list