--
You received this message because you are subscribed to the Google Groups "Python Pune" group.
To post to this group, send email to pytho...@googlegroups.com.
To unsubscribe from this group, send email to pythonpune+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pythonpune?hl=en.
Thanks Dhananjay,I am going to read up more on OAuth. I understand it conceptually, and know that Twitter authentication is now OAuth based.However, would OAuth by itself support multi-site federated login? Perhaps a combination of OAuth and domain level cookies would be needed ?
From [3]
===
In theory, OpenID and OAuth are complimentary. OpenID helps determine who you are (“authentication”) and OAuth defines how you give access to protected data (“authorization”). A site that supports OAuth could also support OpenID for authentication.
However, my view is a little different. Given that the current trend amongst the internet giants (Google, Yahoo and MSN) is to : (a) increase their user base (b) make more people use their services, OpenID might not excite them. It works against (a). Even AOL, which has 63 million OpenIDs does so by being an OP. They are still not a relying party (RP). It will be interesting to see how they support it. Will you be allowed access AOL services with any OpenID ? Will you be asked to fill a whole bunch of profile info after login?
OAuth on the other hand ought to please these companies. They can keep their entire use base and data to themselves and yet allow third parties to integrate into their services. The more the number of external websites that integrate with them, the more their services will be used (Almost all popular websites today release a "developer” API for the same reason).
===
I would go with OpenID. SSO is more like authentication than authorization, IMO.
Few useful links:
1. http://stackoverflow.com/questions/3376141/openid-vs-oauth
2. http://www.clauswitt.com/openid-and-oauth-for-sso/
3. http://portalzone.blogspot.com/2007/12/openid-oauth-complimentary-or-competing.html
From [3]
===
In theory, OpenID and OAuth are complimentary. OpenID helps determine who you are (“authentication”) and OAuth defines how you give access to protected data (“authorization”). A site that supports OAuth could also support OpenID for authentication.
However, my view is a little different. Given that the current trend amongst the internet giants (Google, Yahoo and MSN) is to : (a) increase their user base (b) make more people use their services, OpenID might not excite them. It works against (a). Even AOL, which has 63 million OpenIDs does so by being an OP. They are still not a relying party (RP). It will be interesting to see how they support it. Will you be allowed access AOL services with any OpenID ? Will you be asked to fill a whole bunch of profile info after login?
OAuth on the other hand ought to please these companies. They can keep their entire use base and data to themselves and yet allow third parties to integrate into their services. The more the number of external websites that integrate with them, the more their services will be used (Almost all popular websites today release a "developer” API for the same reason).
===
I would go with OpenID. SSO is more like authentication than authorization, IMO.
On 10-Dec-2010, at 11:06 PM, Parag Shah wrote:
> I am making a DIY learning web app which is powered by Java. This webapp also needs forums, and I was thinking of using a StackExchange clone (maybe OSQA) made in Python.
>
> I am planning to use OpenId, Twitter, FB, and regular user accounts for authentication on my website. Is it possible to cleanly implement single sign-on between the main website and the various forums powered by OSQA?
>
> Here is a typical scenario. A user comes to www.myapp.com and logs in. Then if she visits forums.myapp.com she should be automatically logged in.
>
> I have been reading up possible solutions to this problem, and the one which seems smoothest is to use domain level cookies. I will not be able to use this solution across domains (which seems to be fine for now at least). I am not very keen to use session id's encoded in url's or as form data.
>
> Has anyone had any experience implemented single sign-on across domains? Am very interested in knowing what sort of hiccups I might have to deal with, if I implement single sign-on.
>
>
> --
> Thanks & Regards
> Parag Shah
> http://blog.adaptivesoftware.biz
--
You received this message because you are subscribed to the Google Groups "Python Pune" group.
To post to this group, send email to pytho...@googlegroups.com.
To unsubscribe from this group, send email to pythonpune+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pythonpune?hl=en.
you want to be careful with #4 'cause certain browsers might just block those requests as XSS
- d