Building identity on top of OAuth 2.0?

Chris Obdam chris.obdam at holder.nl
Wed May 19 15:32:07 UTC 2010 

When talking about "identity on top of OAuth 2" we now talk about OpenID Connect.

Who has looked at the OpenID Artifact binding by Nat who also builds on top of OAuth 2?

The spec is at http://www.sakimura.org/specs/ab/ It already tackles a lot of thing who are in the charter Dick compiled yesterday at the IIW.


Op 19 mei 2010, om 16:46 heeft Chris Messina het volgende geschreven:

> Can you please expand on and be more specific about what you mean by this:
> 
> " If, OTOH, you are interested in actually protecting peoples' identities, then OAuth 2.0 doesn't seem like a great starting point."
> 
> What would be a better starting point? And what does it mean to "protect peoples' identities" in your thinking?
> 
> Thanks,
> 
> Chris 
> 
> Sent from my iPhone 2G
> 
> On May 19, 2010, at 2:25 AM, Ben Laurie <benl at google.com> wrote:
> 
>> 
>> 
>> On 16 May 2010 00:57, David Recordon <recordond at gmail.com> wrote:
>> The past few months I've had a bunch of one on one conversations with a lot of different people – including many of folks on this list – about ways to build a future version of OpenID on top of OAuth 2.0. Back in March when I wrote a draft of OAuth 2.0 I mentioned it as one of my future goals as well (http://daveman692.livejournal.com/349384.html).
>> 
>> Basically moving us to where there's a true technology stack of TCP/IP -> HTTP -> SSL -> OAuth 2.0 -> OpenID -> (all sorts of awesome APIs). Not just modernizing the technology, but also focusing on solving a few of the key "product" issues we hear time and time again.
>> 
>> I took the past few days to write down a lot of these ideas and glue them together. Talked with Chris Messina who thought it was an interesting idea and decided to dub it "OpenID Connect" (see http://factoryjoe.com/blog/2010/01/04/openid-connect/). And thanks to Eran Hammer-Lahav and Joseph Smarr for some help writing bits of it!
>> 
>> So, a modest proposal that I hope gets the conversation going again. http://openidconnect.com/
>> 
>> If the goal is to get something as weak as possible without it instantly collapsing around your ears, then this sounds like a great plan.
>> 
>> If, OTOH, you are interested in actually protecting peoples' identities, then OAuth 2.0 doesn't seem like a great starting point.
>>  
>> 
>> --David
>> 
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>> 
>> 
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100519/033245f6/attachment.htm>

More information about the specs mailing list