On 2013-04-30 12:13, Leen Besselink wrote:
> You asked for it. :-)
>
> While I totally agree that tying your identity to Facebook, Google,
> Twitter and others is bad.
>
> Calling then proprietary might be a bit unfear ?
>
> Yahoo supports:
> - oAuth
> - OpenID
>
> Google supports:
> - oAuth
> - OpenID
> - SAML (for corporate Google apps/docs)
i didn't call using a commercial identity provider in general
proprietary. Indeed Yahoo and Google provide OpenID, and even played a
big role in developing it in the first place.
> Facebook supports:
> - oAuth
>
> Twitter supports:
> - oAuth
>
> With oAuth of Facebook, Yahoo and Google it is possible for the
> website to get the email address.
the use of oAuth as such doesn't say anything about whether you are
offering any open identity protocol. oAuth is a best practice for
exposing the login screen of your API:
http://insanecoding.blogspot.co.nz/2013/03/oauth-great-way-to-cripple-your-api.html
> So I think it should be possible to replace that with Persona,
> because Yahoo and Google are email
> providers and Facebook has a 'verified' flag.
yes, Google, Yahoo and Facebook should all implement Persona, and in
fact, Yahoo already do:
http://techcrunch.com/2013/04/09/mozilla-persona-beta-2/ and in min.
2:23 of the video on there they announce they will have >50% of all
email users worldwide soon, so i'm guessing that would mean they got
either Google or Microsoft, too.
sure, as long as there are not too many parties offering
vendor-specific "social signin" systems, then a relying party can still
come pretty close
to what whitelist-based OpenID gives you, by simply displaying an
OpenID nascar-screen, and adding the logos of Facebook, Twitter and
Github to it.
but you would then have two write 4 login systems:
- one generic OpenID one,
- one specifically for Facebook,
- one specifically for Twitter, and
- one specifically for Github.
yes, also a very interesting development! thanks for the link.
Cheers,
Michiel