Re: "Logged in with fedsocweb" from Melvin Carvalho on 2012-07-08 (public-fedsocweb@w3.org from July 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 8 Jul 2012 18:34:28 +0200
To: Markus Sabadello <markus.sabadello@gmail.com>
Cc: Michiel de Jong <michiel@unhosted.org>, public-fedsocweb@w3.org
Message-ID: <CAKaEYhLak-2UbMei1LU0gXJAHEefDtksyfocsao5LD=bO3vBFw@mail.gmail.com>

On 8 July 2012 18:29, Markus Sabadello <markus.sabadello@gmail.com> wrote:

> A. In OpenID there's something called the UserInfo endpoint (In OAuth
> terminology, that's the protected resource). So you could request the list
> of friends, and other things directly from that UserInfo endpoint, simply
> as part of the normal OAuth flow.
>
> OR
>
> B. We could have a standard Linked Data endpoint from which you get the
> list of friends and other stuff, and we could protect that endpoint with
> the OpenID Connect token.
>
> So the flow would be something like this I think
>
> 1. User goes to relying party website
> 2. Relying party website asks "Plz sign in with OpenID Connect"
> 3. User types their FedSocWeb address (Webfinger), which is also their
> OIDC identifier
> 4. Relying party website redirects to the user's personal OpenID Connect
> IdP [which could be on a FreedomBox, or on a self-hosted status.netinstance, etc]
> 5. User types password or authenticates in some other way [e.g. with a
> Yubikey plugged into their FreedomBox]
> 6. OIDC IdP redirects user back to relying party website
> 7. Relying party website receives access token
> 8. (in case of A above): Relying party talks to UserInfo endpoint to
> receive user ID plus additional information such as list of friends
> 8. (in case of B above): Relying party talks to UserInfo endpoint to
> receive user ID, then talks to Linked Data endpoint to receive list of
> friends.
>
> Or something like that..
>
> I know the standard authn/authz mechanism for Linked Data is WebID/WebACL,
> but shouldn't OAuth/OIDC work too?
>

Linked data is 100% compatible with OAuth too.  The tolerance principle of
the web doesnt mandate any particular authn/authz method.  It cant really
mandate any one system at that scale, because the web will break out of any
hierarchy imposed on it, eventually.


>
> Markus
>
>
> On Sun, Jul 8, 2012 at 5:31 PM, Michiel de Jong <michiel@unhosted.org>wrote:
>
>> On Sun, Jul 8, 2012 at 6:15 PM, Michiel de Jong <michiel@unhosted.org>
>> wrote:
>> > interrelated). but only saying 'nodes should implement OpenID Connect'
>> > is not enough to solve these two use cases, i think? Scanning over
>> > http://openid.net/connect/ i see no explicit mention of friend lists,
>> > but maybe i didn't read carefully enough?
>>
>> ah, found it - "Open source protocols such as Portable Contacts can be
>> used with OpenID to offer your site access to a user’s address book
>> and friends lists." on http://openid.net/add-openid/
>>
>> so yeah that makes sense to me. require webfinger + openid connect +
>> poco for normal users, or as a power user alternative, the same but
>> using a client-side cert instead of a password.
>>
>> poco is already in OStatus, so that's good. would have to set up a
>> demo of this and then describe it on the wiki.
>>
>>
>
>
>
>

Received on Sunday, 8 July 2012 16:34:55 UTC