OAuth can be used as a bastardized mechanism to do SSO, but it's not really
recommended.
OAuth only provides you with tokens, which could later be revoked,
effectively destroying the identity that you're relying on.
OpenID is the preferred way to achieve SSO because it provides you with a
If a site has an api that returns a stable user identifier then OAuth can
work fine as an SSO. I wouldn't go so far as to call it bastardized..
The big difference between OpenID and OAuth is the idiom used. OpenID is
designed to not require prior registration for use -- multiple relying
parties
This is worth exploring further at the next OpenID Summit (assuming there is
interest). RPs that we talk to have overlapping use cases and it's not fair
to their developers to have completely independent SDKs (different signing
mechanism, on boarding process etc).
-Ashish
Agreed. There's a bunch of interesting things that could be done to
bring OpenID and OAuth closer together.
On Fri, Mar 26, 2010 at 7:15 PM, Ashish Jain iti...@gmail.com wrote:
This is worth exploring further at the next OpenID Summit (assuming there is
interest). RPs that we talk to have
I do agree with that. But it is important to recognize where each came
from, and what problems each respectively sought to address.
Narrowing the divide between the two and making it easier to use both
together is something I'm absolutely in favor of.
Sent from my iPhone 2G
On Mar 26,