Mike, Thank you very much for sending the links to the artifact binding home page and spec. I've had a quick look, and maybe I'm missing something, but it seems that this completely ignores the problem of authenticating the relying party. In section 7.4.1, the RP registers on the fly just by telling the OP who it claims to be, and the OP takes the RP's word for it without any verification and issues a client_secret. Same as OpenID Connect.
OpenID 2.0 at least goes to the trouble of asking the user whether he/she trusts the realm, and then verifying the return_url against the realm. I don't think that's sufficient, but it's better than nothing. Francisco --- On Wed, 1/5/11, Mike Jones <[email protected]> wrote: From: Mike Jones <[email protected]> Subject: RE: [OAUTH-WG] TLS is needed for redirecting back to the client To: "[email protected]" <[email protected]>, "Marius Scurtescu" <[email protected]>, "Justin Richer" <[email protected]> Cc: "[email protected]" <[email protected]>, "Karen P. Lewison" <[email protected]>, "Nat Sakimura ([email protected])" <[email protected]>, "John Bradley" <[email protected]> Date: Wednesday, January 5, 2011, 5:18 PM You can read about the Artifact Binding at https://bitbucket.org/openid/ab/wiki/Home. The latest draft is at https://bitbucket.org/openid/ab/raw/c1eaac175dc8/openid-artifact-binding-1_0.html. Nat Sakimura is actively updating the specification as we speak, incorporating some of the ideas from OpenID Connect. The merger of the specs that Nat is working on is sometimes referred to as OpenID Artifact Binding/Connect or OpenID ABC for short. FYI, specification will be using JSON Web Tokens (JWTs). -- Mike From: [email protected] [mailto:[email protected]] On Behalf Of Francisco Corella Sent: Tuesday, January 04, 2011 5:04 PM To: Marius Scurtescu; Justin Richer Cc: [email protected]; Karen P. Lewison Subject: Re: [OAUTH-WG] TLS is needed for redirecting back to the client --- On Tue, 1/4/11, Justin Richer <[email protected]> wrote: > > > We need a protocol that does both authentication and > > > authorization. We can take OAuth and adapt it for > > > authentication, or take OpenID and adapt it for > > > authorization, or combine OpenID and OAuth (great > > > solution > > > for people who love complexity) or... take the best > > > ideas > > > from OpenID and OAuth and incorporate them into a new > > > protocol that's designed from the start for both > > > authentication and authorization. That's one of my > > > motivations for proposing PKAuth. > > > > Are you aware of OpenIDConnect? > > > > http://openidconnect.com/ > > And also the latest drafts of OpenID Artifact Binding: > > http://wiki.openid.net/w/page/12995134/Artifact-Binding I'm not familiar with that, and I haven't been able to find a draft at the site. Francisco
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
