On Thu, Sep 05, 2013 at 10:25:22PM +0400, Oleg Broytman wrote: > On Thu, Sep 05, 2013 at 02:16:29PM -0400, Donald Stufft <don...@stufft.io> > wrote: > > > > On Sep 5, 2013, at 2:12 PM, Oleg Broytman <p...@phdru.name> wrote: > > > I used to use myOpenID and became my own provider using poit[1]. > > > These days I seldom use OpenID -- there are too few sites that allow > > > full-featured login with OpenID. The future lies in OAuth 2.0. > > > > The Auth in OAuth stands for Authorization not Authentication. > > There is no authorization without authentication, so OAuth certainly > performs authentication: http://oauth.net/core/1.0a/#anchor9 , > http://tools.ietf.org/html/rfc5849#section-3 > Sortof.... The way OAuth looks to me, it's designed to prove that a given client is authorized to perform an action. It's not designed to prove that the given client is a specific person. In some cases, you really want to know the latter and not merely the former. So I think in these situations Donald's separation of Authz and Authn makes sense.
-Toshio
pgppLjnxYjd1p.pgp
Description: PGP signature
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
