OAuth + OpenID

NISHITANI Masaki m-nishitani at nri.co.jp
Wed Dec 12 00:30:26 UTC 2007 

Hi Praveen.

I think I have missed one interation in the chart 3, and 
little be confused about terms authentication and 
authorization in the mail text.

I've updated the chart to indicate end-user authentication 
and end-user permitting Consumer to access its data will be 
done sapaletely in usecase 3.

In case 3, SP is regarded to be a ``data authority'' and OP 
is ``identity authority'' in same manner. I think it is not 
unordinary situation where a data authority delegate user 
authentication to an other identity provider, especially the 
IdP provides special authentication methods such as Vidoop's 
  one.




alavillipraveen at aol.com wrote:
> in usecases 3  i don't think we should combine AuthZ with AuthN. Even 
> though the SP is using OP for authenticating the  user it would still 
> have to deal with it's own authorization so it control what 
> services/data the consumer can access on behalf of the user (atleast 
> until we can come up with some extension to OpenID to allow OP take care 
> of authorizations too). Its same for usecase 4 too but since the SP & OP 
> are same it can optimize the flows but again we need some OpenID ext 
> here too otherwise it would become some thing proprietary woth every 
> provider.
> 
> - Praveen
> 
> 
> -----Original Message-----
> From: NISHITANI Masaki <m-nishitani at nri.co.jp>
> To: specs at openid.net
> Sent: Tue, 11 Dec 2007 18:23:33 +0900
> Subject: OAuth + OpenID
> 
> Hi all.
> 
> According to the theme, OAuth and OpenID, talked in the IIW
> 2007b, I have made up a brief diagrams for a sort of
> self-brainstorming.
> 
> It is a shame for me not have been able to join in that
> session in IIW, though regarding the wiki page placed at
> http://iiw.idcommons.net/index.php/OAuth_and_OpenID ,
> it went over mainly about a case of SP (it's an OAuth term)
> and OP (OpenID term) are same one.
> 
> Now the diagrams consists of -
> 
> Page 1; Ordinary OAuth sequence chart.
> Page 2; Same for OpenID.
> Page 3; Using OAuth and OpenID together,
>    Consumer does not need authorization but access to
>    user's data stored in SP, and SP uses OpenID for its
>    authorization method.
> Page 4; Superimposing OAuth and OpenID,
>    SP and OP are same one and consumer requires user's
>    data stored in OP/SP and uses OpenID as well.
> 
> This is a starting point for me and now I am looking for any
> other use case and trying to make myself clear.
> 
> Probably there is some chances to make the protocols
> simpler. One case is to skip association phase using the
> Consumer secret or RSA key of the consumer to verify
> consumer/RP.
> 
> I will be grad if I have comments.
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 
> 
> ________________________________________________________________________
> More new features than ever.  Check out the new AOL Mail ! - 
> http://webmail.aol.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenID_OAuth_Chart.pdf
Type: application/pdf
Size: 56864 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071212/3819d480/attachment-0002.pdf>

More information about the specs mailing list