I posted this to the specs-ab list earlier today. Links for those that haven't looked yet. https://browserid.org/ http://arstechnica.com/web/news/2011/07/mozillas-browserid-aims-to-simplify-authentication-on-the-web.ars They are using asymmetrically signed JWT with an introspection endpoint. There are limitations on attributes, identifiers and other serious issues with what Mozzila is proposing. Though it is relatively close to what Nat and I were thinking with asymmetrically signed id_tokens, and a introspection endpoint. In some ways our flow would be simpler if the id_tokens were always asymmetrically signed and anyone not supporting that uses the introspection endpoint, as they propose. If the RP doesn't understand asymmetric signatures it just throws to the introspection endpoint. The big advantage is for smart clients. They would not need to manage shared secrets to validate tokens. For a smart client I suppose that you could let it generate it's own access tokens if those access tokens are JWT and they wrap a JWT containing the client's public key and some scope constraints etc. In principal that could lower the IdP's authorization load. It could also be a way to prevent the IdP from knowing who the RP is in the simple SSO case.
If the browser supports asymmetric keys securely (they are using html5 local storage keyed to a trusted domain) you could have the smart client provide it's public key to the OP and have a assertion without an audience generated and signed. The client would then over-sign with an audience. (some potential size issues with double base46 encoding) Just some things to think about. John B. On 2011-07-16, at 9:25 AM, David Recordon wrote: > Thoughts? > > http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
