[Python-Dev] Offtopic: OpenID Providers

Barry Warsaw barry at python.org
Thu Sep 5 20:53:43 CEST 2013

On Sep 05, 2013, at 11:33 AM, Toshio Kuratomi wrote:

>Sortof.... The way OAuth looks to me, it's designed to prove that a given
>client is authorized to perform an action.  It's not designed to prove that
>the given client is a specific person.  In some cases, you really want to
>know the latter and not merely the former.  So I think in these situations
>Donald's separation of Authz and Authn makes sense.

This probably isn't the only application of these technologies, but I've
always thought about OAuth as delegating authority to scripts and programs to
act on your behalf.  For example, you can write a script to interact with
Launchpad's REST API, but before you can use the script, you have to interact
with the web ui once (since your browser is trusted, presumably) to receive a
token which the script can then use to prove that it's acting on your behalf.
If at some point you stop trusting that script, you can revoke the token to
disable its access, without having to reset your password.

To me, OpenID is about logging into web sites using single-sign on.  For
example, once I've logged into Launchpad, I can essentially go anywhere that
accepts OpenID, type my OpenID and generally not have to log in again (things
like two-factor auth and such may change that interaction pattern).

Or to summarize to a rough approximation: OpenID is for logins, OAuth is for

Persona seems to fit the OpenID use case.  You'd still want OAuth for

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130905/9a5db88e/attachment-0001.sig>

More information about the Python-Dev mailing list