On Sep 05, 2013, at 11:33 AM, Toshio Kuratomi wrote:
Sortof.... The way OAuth looks to me, it's designed to prove that a given client is authorized to perform an action. It's not designed to prove that the given client is a specific person. In some cases, you really want to know the latter and not merely the former. So I think in these situations Donald's separation of Authz and Authn makes sense.
This probably isn't the only application of these technologies, but I've always thought about OAuth as delegating authority to scripts and programs to act on your behalf. For example, you can write a script to interact with Launchpad's REST API, but before you can use the script, you have to interact with the web ui once (since your browser is trusted, presumably) to receive a token which the script can then use to prove that it's acting on your behalf. If at some point you stop trusting that script, you can revoke the token to disable its access, without having to reset your password. To me, OpenID is about logging into web sites using single-sign on. For example, once I've logged into Launchpad, I can essentially go anywhere that accepts OpenID, type my OpenID and generally not have to log in again (things like two-factor auth and such may change that interaction pattern). Or to summarize to a rough approximation: OpenID is for logins, OAuth is for scripts. Persona seems to fit the OpenID use case. You'd still want OAuth for scripting. -Barry