Small aside: I've implemented a similar workflow myself recently and
I've avoided any changes of user account details on Relying Parties:
http://developmentseed.org/blog/2010/mar/02/simple-sign-openid
All changes to accounts properties (user name, email, etc) are done on
the provider to avoid asynchronicities.
Alex
On May 17, 2010, at 12:03 AM, Manuel Lemos wrote:
Hello,
With this thread of using oAuth 2 for identity I am confused to which
protocol should I use for a single sign-on solution that I need to
implement.
Let me explain my case and see if anybody can clarify what is the best
solution for me.
I have one site, lets call it site A, that has many user accounts. I
want to build another site, lets call it site B, but I do not want
users
with accounts in site A to create new accounts to access site B. They
could just use the same account data from site A and use it in site B.
In the future I may have sites C, D, etc..
I thought of creating an OpenID authentication server, lets call it
OP,
and migrate user account from site A to OP. When users go to site A
or B
and need to login, they are redirected via OpenID to OP for
authentication.
If successful, OP passes site A or B the account, personal name, nick
name and e-mail when redirecting back to sites A or B, so those sites
always have copies of that account information for imediate use.
If the user updates one of those details in site A or B, they push the
changes to OP and OP propagates the changes to the other site A or B
that also has the same user account.
From the specifications that I read, OpenID and its extensions can be
used the way I need.
This will all be used only within my network sites. I do not intend to
allow users to autheticate with external OpenID providers, nor I want
other sites to use my OpenID provider to authenticate in other sites.
Since this is meant for use restricted to my sites, I could invent a
proprietary protocol, but I thought it was better to not reinvent
the wheel.
I will develop all the necessary components to implement the OpenID
provider and consumers with the needed extensions. Actually the
consumer
component is mostly done.
I was moving to the OpenID provider component when I noticed this
thread
of using oAuth 2 for identity. So now I wonder if I am in the right
path? Shall I keep doing it with OpenID or shall I do it with oAuth 2?
Can anybody please shed some light so I can make the best decision?
--
Regards,
Manuel Lemos
Find and post PHP jobs
http://www.phpclasses.org/jobs/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
Alex Barth
http://www.developmentseed.org/blog
tel (202) 250-3633
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
