OpenID + OAuth


how can get openid and oauth to work together?


right now the client flow for openid is... client --> SP --> iDP login --> --> SP authorize --> client


can we make it... client--> (SP) --> iDP directly --> (SP) --> client


turning oauth into an openid extension? keturn did this before...


how do make the user experience better?



openid provider could tie together tokens with identification.. centralize the process of authorization


part of this is single sign-on...


it's easy if the relying party is the token service provider...


as a group do we want to solve only openid OP and SP being the same?


eran gave an example of his oauth-openid nouncer flow


consumer asks sp for request token and providers the openid url... hint is in request request, authorization is in callback url, if there was an openid extension to ask questions (like "by logging in, you're also allowing access from this provider") then it would be client --> iDP --> client...


issue with this idea is that the iDP will not have a trust relationship with


if you're an openid and oauth provider, how do we reduce the friction?





AOL did it with token exchange for OpenID... token attributes, plus profile attributes

Dick suggests attribute exchange


might have some redundant associations...


this flow is like adding facebook apps


isn't identity on provider just one of the assets on the iDP?