Re: http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html
David Recordon
Thanks,
--David
On Dec 13, 2008, at 1:56 PM, Pat Cappelaere wrote:
> Gentlemen,
>
> As part of an interoperability effort sponsored by the Open
> GeoSpatial Consortium (OGC), the Workflow Management Coalition and a
> few other partners including myself have signed up to address the
> issue of RESTful workflows accessing restricted web services across
> many organizations.
>
> This scenario presents many challenges due to the number of services
> that could potentially be accessed by the workflows on behalf of the
> users.
>
> Workflow Chaining Services (WfCS) are themselves nothing more than
> black-box web services as far as the user is concerned.
>
> Token Management from a user perspective and service provider (SP)
> is also an issue. We want to make it as simple as possible for the
> user to grant/revoke identity delegation and as easy as possible for
> those providers to implement the protocol in a uniform and
> consistent manner.
>
> OAuth has been implemented without OpenID as an assumption. This
> was a great idea.
>
> If OpenID is now a reality for our community, how can we leverage it
> to provide a consistent user experience? The user is already
> familiar with the concept of granting "sites" usage of his identity
> and access (or not) to his profile info.
> The user can also manage these grants from his OpenID account, get
> notifications when "sites" request access....
>
> There seem to be a small step to make to integrate OAuth within the
> existing infrastructure that is already made available by the
> exisiting openID providers such as myopenid.com and myvidoop.com.
>
> I have looked at the proposed extension (http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html
> ) but feel that it may fall short from this expectation (but could
> be wrong). This is certainly a good first step.
>
> Instead of asking for an access token from a user out of context
> (who is the consumer, who is the provider, what is the requested
> access realm or resource), why can't we make this part of the request?
>
> The user could respond with yea/nay and even make this semi-
> permanent until revoked right from that same account. The service
> provider could keep checking in with the immediate mode. This makes
> it very simple for the SP (which already supports openid as an RP).
> Service providers are seldom OPs in our case.
>
> This makes is very consistent for the user. S/he does not have to
> go to X number of sites and manage access in various manners.
>
> I would appreciate your feedback.
>
> Thanks,
>
> Pat.
>
David Recordon
Dirk Balfanz
let me see whether I understand your proposal (from a user experience point of view):
You would like a flow in which a user visits an RP, becomes interested in the service the RP provides, and decides to "sign up" at the RP. The RP then sends the user to an OP for login, but also wants to request access to potentially many OAuth SPs that have the user's data.
So the approval page, at the OP, that the user should see would say something like "You're about to log into RP. The RP would like access to the following resources: your data X at x.com, your data Y at y.com, etc." (where x.com and y.com are not the same as the OP).
Did I get this right?
If so, then you're right that the current spec on step2.googlecode.com doesn't address that use case. For this to work, we would have to find a way for the SPs (x.com, y.com in the example above) to know that the user really wants the RP to have access (both in OAuth, and in the OpenID OAuth extension (which assumes OP==SP) the SP knows because the user - which the SP authenticates - tells the SP directly).
Can you say more about the actual use cases you have in mind for which this would be useful? I'm trying to gauge how important it is to solve this problem :-)
Dirk.
Adding the step2 mailing list to this thread.
Thanks,
--David
On Dec 13, 2008, at 1:56 PM, Pat Cappelaere wrote:
Gentlemen,
As part of an interoperability effort sponsored by the Open GeoSpatial Consortium (OGC), the Workflow Management Coalition and a few other partners including myself have signed up to address the issue of RESTful workflows accessing restricted web services across many organizations.
This scenario presents many challenges due to the number of services that could potentially be accessed by the workflows on behalf of the users.
Workflow Chaining Services (WfCS) are themselves nothing more than black-box web services as far as the user is concerned.
Token Management from a user perspective and service provider (SP) is also an issue. We want to make it as simple as possible for the user to grant/revoke identity delegation and as easy as possible for those providers to implement the protocol in a uniform and consistent manner.
OAuth has been implemented without OpenID as an assumption. This was a great idea.
If OpenID is now a reality for our community, how can we leverage it to provide a consistent user experience? The user is already familiar with the concept of granting "sites" usage of his identity and access (or not) to his profile info.
The user can also manage these grants from his OpenID account, get notifications when "sites" request access....
There seem to be a small step to make to integrate OAuth within the existing infrastructure that is already made available by the exisiting openID providers such as myopenid.com and myvidoop.com.
I have looked at the proposed extension (http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html) but feel that it may fall short from this expectation (but could be wrong). This is certainly a good first step.
Instead of asking for an access token from a user out of context (who is the consumer, who is the provider, what is the requested access realm or resource), why can't we make this part of the request?
The user could respond with yea/nay and even make this semi-permanent until revoked right from that same account. The service provider could keep checking in with the immediate mode. This makes it very simple for the SP (which already supports openid as an RP). Service providers are seldom OPs in our case.
Pat Cappelaere
Hi Pat,
let me see whether I understand your proposal (from a user experience point of view):
You would like a flow in which a user visits an RP, becomes interested in the service the RP provides, and decides to "sign up" at the RP. The RP then sends the user to an OP for login, but also wants to request access to potentially many OAuth SPs that have the user's data.
So the approval page, at the OP, that the user should see would say something like "You're about to log into RP. The RP would like access to the following resources: your data X at x.com, your data Y at y.com, etc." (where x.com and y.com are not the same as the OP).
Did I get this right?
If so, then you're right that the current spec on step2.googlecode.com doesn't address that use case. For this to work, we would have to find a way for the SPs (x.com, y.com in the example above) to know that the user really wants the RP to have access (both in OAuth, and in the OpenID OAuth extension (which assumes OP==SP) the SP knows because the user - which the SP authenticates - tells the SP directly).
Can you say more about the actual use cases you have in mind for which this would be useful? I'm trying to gauge how important it is to solve this problem :-)