Building identity on top of OAuth 2.0?

Torsten Lodderstedt torsten at lodderstedt.net
Sat May 22 09:15:26 UTC 2010 

Am 20.05.2010 05:18, schrieb Allen Tom:
> Whoa, I think it's premature to say that Yahoo supports OpenID 
> Connect, but I would imagine that only a single Access Token would be 
> returned to coolcalendar.com -- the Access Token would presumably be 
> good for both "openid" and "calendar" scope. Why would the OP want to 
> return 2 tokens?
>

very good question!

Probably because the protected resources for user data and calendar data 
access are operated independently? Let's assume the AS issues 
self-contained, signed, and encrypted bearer tokens. The signature and 
encryption could be based on a shared secret between AS and RP.  In such 
a scenario, it is required to issue different, PR specific, tokens. 
Otherwise, user data and calendar data service could (1) either not 
decrypt and validate the token or (2) would be forced to share the same 
secret.

Moreover, the RPs might need different user attributes and permissions, 
so even the payload might differ.

regards,
Torsten.
P.S: I suggest to move the discussing to the OAuth mailing list. Thoughts?

> Allen
>
>
> On 5/19/10 5:27 PM, "Dirk Balfanz" <balfanz at google.com> wrote:
>
>
>     Let's say I'm coolcalendar.com <http://coolcalendar.com> , and I
>     want to "connect" one of my user's accounts to his Yahoo! account.
>     I don't want to roll my own auth system, so I'm happy to see that
>     Yahoo! supports OpenID Connect. To connect, I'll send the user
>     over to Yahoo! with scope=openid%20yahoo-calendar. What I get
>     back, in your proposal, is two different kinds of "tokens": the
>     access token that my servers use to access Yahoo! and something
>     I'll call "openid connect token" (which in your proposal comprises
>     a few different parameters - user id, timestamp, signature, etc.)
>     that browsers use (in form of a cookie) to access my own servers
>     at coolcalendar.com <http://coolcalendar.com> .
>
>     Why do those two tokens look different? They serve the same
>     purpose - authenticating access from a client to a server, so they
>     should look the same.
>
>     Why should Yahoo! run different code to authenticate requests
>     coming from my server than the code I'm running on my servers to
>     authenticate requests coming from browsers - we have to solve the
>     same task, so we should run the same code. It's simpler.
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100522/413ab4e5/attachment.html>

More information about the specs mailing list