Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Darren Bounds Thu, 13 Nov 2008 13:58:30 -0800

I think so. What about cases where two descrete applications/consumersshare a realm?


Sent from a mobile device.


On Nov 13, 2008, at 3:58 PM, Dirk Balfanz <[EMAIL PROTECTED]> wrote:

On Thu, Nov 13, 2008 at 12:46 PM, Allen Tom <[EMAIL PROTECTED]>wrote:
Hi Yariv,
In the registered consumer case, the SP will need the Consumer Keyto show the Approval page. Previous versions of the spec had theRequest Token in the OpenID Authentication request, which allowedthe SP to derive the Consumer Key from the Request Token. At theIIW, we had discussed somehow tying the Association Handle to theConsumer Key.
Regardless of the solution, the SP will need to be know the ConsumerKey in order to properly identify the OAuth Consumer when displayingthe Approval page. The OpenID Realm is not quite sufficient, atleast for SPs which require consumers to pre-register for a CK.
I don't think this is true - I believe the realm is sufficient. Letme try and explain. (We'll assume registered consumers.) On theapproval page, we need to identify the consumer. In its currentform, the spec basically assumes that you're gonna use the realm forthat.
Let's assume that The Bad Guy somehow managed to sneak a misleadingrealm into a request, i.e. the user sees the realm on the login pageand clicks "approve" when he wouldn't have approved had he known thereal identity of The Bad Guy.
The OP embeds, in the request token, the realm to which the requesttoken was issued.
Later, when The Bad Guy tries to exchange the request token for anaccess token, it won't work, b/c The Bad Guy only has access to hisown consumer secret, which doesn't match the realm embedded in therequest token.
So we _do_ have a binding from the request token to the consumerkey, it's just enforced later, not at approval time.
Does this make sense, or am I missing something?

Dirk.
One possible optimization would be to just use the Consumer Key asthe OpenID Association Handle, and Consumer Secret as the OpenIDAssociation. The Consumer can just sign the OpenID Auth requestusing its CK/CS and the OP can return a pre-approved response tokenin the OpenID assertion. The Consumer can then exchange the responsetoken for the OAuth Access Token/ ATS.
Thoughts?
Allen



Yariv Adan wrote:
Following the IIW session on this topic, we updated the spec in http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.htmlto address the issues that were raised. Especially, optimizing onhow OAuth request token is handled, allowed to remove one fullroundtrip!
Would appreciate any feedback on the updated suggestion.

Thanks

On Mon, Nov 3, 2008 at 12:00 PM, <[EMAIL PROTECTED]> wrote:
Send specs mailing list submissions to
       specs@openid.net

To subscribe or unsubscribe via the World Wide Web, visit
       http://openid.net/mailman/listinfo/specs
or, via email, send a message with subject or body 'help' to
       [EMAIL PROTECTED]

You can reach the person managing the list at
       [EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of specs digest..."


Today's Topics:

  1. Proposal to create the OpenID OAuth Hybrid Working Group
     (Yariv Adan)
----------------------------------------------------------------------
Message: 1
Date: Mon, 3 Nov 2008 15:30:57 +0100
From: Yariv Adan <[EMAIL PROTECTED]>
Subject: Proposal to create the OpenID OAuth Hybrid Working Group
To: specs@openid.net
Message-ID:
       <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
In accordance with the OpenID Foundation IPR policies andprocedures<http://openid.net/foundation/intellectual-property/ > this noteproposes the
formation of a new working group chartered to produce an OpenID
specification.
As per Section 4.1 of the Policies, the specifics of the proposedworking
group are:

Background Information:
OpenID has always been focused on how to enable user-authenticationwithin
the browser.  Over the last year, OAuth has been developed to allow
authorization either from within a browser, desktop software, ormobile
devices.  Obviously there has been interest in using OpenID and OAuth
together allowing a user to share their identity as well as grant aRelyingParty access to an OAuth protected resource in a single step. Asmall groupof people have been working on developing an extension to OpenIDwhich makes
this possible in a collaborative fashion within
http://code.google.com/p/step2/. This small project includes adraft specand Open Source implementations which the proposers would like tofinalize
within the OpenID Foundation.


Working Group Name:
OpenID OAuth Hybrid Working Group


Purpose:
Produce a standard OpenID extension to the OpenID Authenticationprotocolthat provides a mechanism to embed an OAuth approval request intoan OpenIDauthentication request to permit combined user approval. Theextensionaddresses the use case where the OpenID Provider and OAuth ServiceProviderare the same service. To provide good user experience, it isimportant topresent a combined authentication and authorization screen for thetwo
protocols.


Scope:
Standardize the draft Hybrid Protocol (
http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html)
as an official OpenID Extension describing how to combine an OpenID
authentication request with the approval of an OAuth request token.


Anticipated Contributions:
Draft specification referenced above and various text contributionsas more
developers implement it.


Proposed List of Specifications:
OpenID OAuth Extension 1.0. Spec completion by Q4 2008.


Anticipated audience or users of the work:
 - OpenID Providers and Relying Parties
 - OAuth Consumers and Service Providers
 - Implementers of OpenID Providers and Relying Parties


Language in which the WG will conduct business:
English.


Method of work:
E-mail discussions on the working group mailing list and workinggroup
conference calls.


Basis for determining when the work of the WG is completed:
The work will be completed once it is apparent that maximalconsensus on theprotocol proposal has been achieved within the working group,consistent
with the purpose and scope.


Proposers:
 - Ben Laurie, [EMAIL PROTECTED], Google
 - Breno de Medeiros, [EMAIL PROTECTED], Google
 - David Recordon, [EMAIL PROTECTED], Six Apart
 - Dirk Balfanz, [EMAIL PROTECTED], Google
 - Joseph Smarr, [EMAIL PROTECTED], Plaxo
- Yariv Adan, [EMAIL PROTECTED], Google - Allen Tom, [EMAIL PROTECTED],
Yahoo
 - Josh Hoyt, [EMAIL PROTECTED] , JanRain


Initial Editors:
 - Dirk Balfanz, [EMAIL PROTECTED], Google  - Breno de Medeiros,
[EMAIL PROTECTED], Google


--
Yariv Adan | Product Manager
Google Switzerland GmbH | Identifikationsnummer: CH-020.4.028.116-1
This e-mail is confidential. If you are not the right addresseeplease donot forward it, please inform the sender, and please erase this e-mail
including any attachments. Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://openid.net/pipermail/specs/attachments/20081103/21c48c00/attachment.html

------------------------------

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

End of specs Digest, Vol 27, Issue 3
************************************



--
Yariv Adan | Product Manager
Google Switzerland GmbH | Identifikationsnummer: CH-020.4.028.116-1
This e-mail is confidential. If you are not the right addresseeplease do not forward it, please inform the sender, and pleaseerase this e-mail including any attachments. Thanks.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Reply via email to