Re: [Ur] The right way to do federated login in 2015?

Fri, 06 Nov 2015 11:56:33 -0800

Another potential direction is to stick with the plain old OAuth protocol, which allows outsourcing authentication to one or more services that you list up front. I talked to a local expert on distributed authorization, and he said that what I've described (plus a rarely used OpenID option) is the de facto standard on the web today.
For instance, with just OAuth, it's easy to bring up a service that does all authentication via GitHub accounts. 

On 10/22/2015 11:02 AM, Adam Chlipala wrote:

On 10/21/2015 05:12 AM, Eran Meir wrote:

From what I read, the two main alternatives for identity management 
are OIDC <https://en.wikipedia.org/wiki/OpenID_Connect>(OpenID 
Connect) and SAML 
<https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>.

[...]


If I had to risk a guess I would say OIDC will gradually replace SAML 
(or a new system will replace both?), so I suggest supporting OIDC.



OIDC is basically OAuth2.0 + JWT 
<https://en.wikipedia.org/wiki/JSON_Web_Token>. A gradual 
implementation approach may be supporting those building blocks as 
Ur/Web libraries first.



OK, this seems like the most positive recommendation so far, in terms 
of a concrete "standard" that is in use by key players today.


Is anyone interested in taking the lead in developing a library?


I'm motivated enough about at least the OAuth part, as I want to use 
it for a web app, aimed at developers, to do login with GitHub 
credentials.  So, I expect that bit would get done by early 2016, even 
if no one else volunteers.  JWT/OIDC would be a lower priority, but 
sounds appropriate for apps targeting broader audiences.



However, I would be very glad to see someone else taking the lead on 
an open-source Ur/Web library that handles all the credible enough 
authentication protocols.  The existing OpenID library could be a good 
inspiration:

http://hg.impredicative.com/openid
[Presumably that original OpenID protocol is no longer worth supporting.]

Any takers?

_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur






















					Reply via email to