Am 20.05.2010 05:18, schrieb Allen Tom:
Whoa, I think it's premature to say that Yahoo supports OpenID
Connect, but I would imagine that only a single Access Token would be
returned to coolcalendar.com -- the Access Token would presumably be
good for both "openid" and "calendar" scope. Why would the OP want to
return 2 tokens?
very good question!
Probably because the protected resources for user data and calendar data
access are operated independently? Let's assume the AS issues
self-contained, signed, and encrypted bearer tokens. The signature and
encryption could be based on a shared secret between AS and RP. In such
a scenario, it is required to issue different, PR specific, tokens.
Otherwise, user data and calendar data service could (1) either not
decrypt and validate the token or (2) would be forced to share the same
secret.
Moreover, the RPs might need different user attributes and permissions,
so even the payload might differ.
regards,
Torsten.
P.S: I suggest to move the discussing to the OAuth mailing list. Thoughts?
Allen
On 5/19/10 5:27 PM, "Dirk Balfanz" <balf...@google.com> wrote:
Let's say I'm coolcalendar.com <http://coolcalendar.com> , and I
want to "connect" one of my user's accounts to his Yahoo! account.
I don't want to roll my own auth system, so I'm happy to see that
Yahoo! supports OpenID Connect. To connect, I'll send the user
over to Yahoo! with scope=openid%20yahoo-calendar. What I get
back, in your proposal, is two different kinds of "tokens": the
access token that my servers use to access Yahoo! and something
I'll call "openid connect token" (which in your proposal comprises
a few different parameters - user id, timestamp, signature, etc.)
that browsers use (in form of a cookie) to access my own servers
at coolcalendar.com <http://coolcalendar.com> .
Why do those two tokens look different? They serve the same
purpose - authenticating access from a client to a server, so they
should look the same.
Why should Yahoo! run different code to authenticate requests
coming from my server than the code I'm running on my servers to
authenticate requests coming from browsers - we have to solve the
same task, so we should run the same code. It's simpler.
_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
