Building identity on top of OAuth 2.0?
SitG Admin
sysadmin at shadowsinthegarden.com
Sun May 16 21:03:53 UTC 2010
So, from the looks of it, you're redoing delegation to rely on the OP
instead of the URI, and reducing the URI (formerly the primary
identifier) to just another item of profile data (like name or
photo), the "profile URL".
I'm not seeing how this "your Identity is primarily tied to your OP"
approach does anything but reinforce walled gardens. It's nice "when
people follow the rules": grand, but useless to protect against
malicious OP's.
-Shade
Postscript: reliance on SSL endpoints - considering how panicky the
modern browsers get over self-signed certificates, isn't this
discouraging (and effectively disqualifying) users from running their
own OAuth/OpenID endpoints?
More information about the specs
mailing list