[oauth] Using OAuth as SSO
We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.comwrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
This is worth exploring further at the next OpenID Summit (assuming there is interest). RPs that we talk to have overlapping use cases and it's not fair to their developers to have completely independent SDKs (different signing mechanism, on boarding process etc). -Ashish --- Ashish Jain Sr. Product Manager, PayPal Identity Services email: ashish.j...@paypal.com cell: 303-548-4325 skype: itickr --- On Fri, Mar 26, 2010 at 7:16 PM, Robert Winch rwi...@gmail.com wrote: If you haven't seen this post, it may be of interest http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ On Fri, Mar 26, 2010 at 5:20 PM, Paul Lindner lind...@inuus.com wrote: If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.comwrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.comoauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.comoauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
Agreed. There's a bunch of interesting things that could be done to bring OpenID and OAuth closer together. On Fri, Mar 26, 2010 at 7:15 PM, Ashish Jain iti...@gmail.com wrote: This is worth exploring further at the next OpenID Summit (assuming there is interest). RPs that we talk to have overlapping use cases and it's not fair to their developers to have completely independent SDKs (different signing mechanism, on boarding process etc). -Ashish --- Ashish Jain Sr. Product Manager, PayPal Identity Services email: ashish.j...@paypal.com cell: 303-548-4325 skype: itickr --- On Fri, Mar 26, 2010 at 7:16 PM, Robert Winch rwi...@gmail.com wrote: If you haven't seen this post, it may be of interest http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ On Fri, Mar 26, 2010 at 5:20 PM, Paul Lindner lind...@inuus.com wrote: If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.com wrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable [X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
I do agree with that. But it is important to recognize where each came from, and what problems each respectively sought to address. Narrowing the divide between the two and making it easier to use both together is something I'm absolutely in favor of. Sent from my iPhone 2G On Mar 26, 2010, at 9:19 PM, David Recordon record...@gmail.com wrote: Agreed. There's a bunch of interesting things that could be done to bring OpenID and OAuth closer together. On Fri, Mar 26, 2010 at 7:15 PM, Ashish Jain iti...@gmail.com wrote: This is worth exploring further at the next OpenID Summit (assuming there is interest). RPs that we talk to have overlapping use cases and it's not fair to their developers to have completely independent SDKs (different signing mechanism, on boarding process etc). -Ashish --- Ashish Jain Sr. Product Manager, PayPal Identity Services email: ashish.j...@paypal.com cell: 303-548-4325 skype: itickr --- On Fri, Mar 26, 2010 at 7:16 PM, Robert Winch rwi...@gmail.com wrote: If you haven't seen this post, it may be of interest http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ On Fri, Mar 26, 2010 at 5:20 PM, Paul Lindner lind...@inuus.com wrote: If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.com wrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google
