Building identity on top of OAuth 2.0?

[Joseph Holsten]

Ben Laurie wrote:
> David Recordon wrote:
>> So, a modest proposal that I hope gets the conversation going again. http://openidconnect.com/
> 
> If the goal is to get something as weak as possible without it instantly collapsing around your ears, then this sounds like a great plan.

Not a bad description of diffie-hellman based OpenID either.

Got any more specific critiques of OAuth 2 for those of us who haven't yet heard security arguments against it?
--
http://josephholsten.com