• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Social distancing? Try a better way to work remotely on your online files. Dokkio, a new product from PBworks, can help your team find, organize, and collaborate on your Drive, Gmail, Dropbox, Box, and Slack files. Sign up for free.

View
 

2007-iiw-openid-and-oauth

Page history last edited by Chris Messina 12 years, 6 months ago

OpenID + OAuth

 

how can get openid and oauth to work together?

 

right now the client flow for openid is... client --> SP --> iDP login --> --> SP authorize --> client

 

can we make it... client--> (SP) --> iDP directly --> (SP) --> client

 

turning oauth into an openid extension? keturn did this before...

 

how do make the user experience better?

  • we could do this with an openid provider extension

 

 

openid provider could tie together tokens with identification.. centralize the process of authorization

 

part of this is single sign-on...

 

it's easy if the relying party is the token service provider...

 

as a group do we want to solve only openid OP and SP being the same?

 

eran gave an example of his oauth-openid nouncer flow

 

consumer asks sp for request token and providers the openid url... hint is in request request, authorization is in callback url, if there was an openid extension to ask questions (like "by logging in, you're also allowing access from this provider") then it would be client --> iDP --> client...

 

issue with this idea is that the iDP will not have a trust relationship with

 

if you're an openid and oauth provider, how do we reduce the friction?

 

example

  • no plaxo account, has yahoo account/openid
  • goes to plaxo, never been before... so you login to plaxo with openid
  • plaxo creates account with openid account...
  • next: plaxo matches that yahoo has a calendar... now, in addition to sreg, it says do you want to import calendar without an additional step?
  • yahoo passes back oauth token

 

 

AOL did it with token exchange for OpenID... token attributes, plus profile attributes

Dick suggests attribute exchange

 

might have some redundant associations...

 

this flow is like adding facebook apps

 

isn't identity on provider just one of the assets on the iDP?

Comments (0)

You don't have permission to comment on this page.