Comments on: OpenID 2.0’s Killer Feature http://barelyenough.org/blog/2007/12/openid-20s-killer-feature/ Thu, 04 Dec 2008 04:33:17 +0000 http://wordpress.org/?v=2.5 By: http://pezra.barelyenough.org/ http://barelyenough.org/blog/2007/12/openid-20s-killer-feature/#comment-40275 http://pezra.barelyenough.org/ Wed, 26 Dec 2007 17:59:51 +0000 http://pezra.barelyenough.org/blog/2007/12/openid-20s-killer-feature/#comment-40275 <p>Nilez Parker,</p> <p>Unfortunately, I have not really spent a lot of time looking at what OAuth is capable of, so I cannot really say.</p> Nilez Parker,

Unfortunately, I have not really spent a lot of time looking at what OAuth is capable of, so I cannot really say.

]]> By: Nilez Parker http://barelyenough.org/blog/2007/12/openid-20s-killer-feature/#comment-40255 Nilez Parker Sat, 22 Dec 2007 02:28:27 +0000 http://pezra.barelyenough.org/blog/2007/12/openid-20s-killer-feature/#comment-40255 <p>above, the reference to "direct identity" really meant "identity discovery"...</p> above, the reference to “direct identity” really meant “identity discovery”…

]]> By: Nilez Parker http://barelyenough.org/blog/2007/12/openid-20s-killer-feature/#comment-40254 Nilez Parker Sat, 22 Dec 2007 02:18:14 +0000 http://pezra.barelyenough.org/blog/2007/12/openid-20s-killer-feature/#comment-40254 <p>This new feature is definitely killer. I've spent so much time already trying to figure out if I can accomplish complete transparency between several apps with the current status of OpenId and OAuth.</p> <p>It's nice to be able to do direct identity, but that doesn't seem to be all that efficient with OAuth. Wouldn't it be sufficient for an OAuth consumer to pass an openid_url and a kind of permission-to-act-as token, and then the OAuth provider go and authenticate that token with the user's openid_server? In effect, the OAuth consumer has been granted permission to "act as" the user; and the OAuth provider just verifies that fact. What do you think? It'd be less hassle between apps, and zero user interaction.</p> This new feature is definitely killer. I’ve spent so much time already trying to figure out if I can accomplish complete transparency between several apps with the current status of OpenId and OAuth.

It’s nice to be able to do direct identity, but that doesn’t seem to be all that efficient with OAuth. Wouldn’t it be sufficient for an OAuth consumer to pass an openid_url and a kind of permission-to-act-as token, and then the OAuth provider go and authenticate that token with the user’s openid_server? In effect, the OAuth consumer has been granted permission to “act as” the user; and the OAuth provider just verifies that fact. What do you think? It’d be less hassle between apps, and zero user interaction.

]]>