OpenID and OAuth Hybrid

Convener: Yariv Adan

Attendees:
 * Martin Atkins
 * Axel Nennker
 * Max Engel,
 * Karen Zlenko,
 * Jorgen Thelin,
 * Alex Rosen,
 * Praveen Alavilli,
 * LP Mavrice,
 * Jono Kane
 * Jonas Hinn
 * Scotty Logan
 * Mike Lee
 * Scott Kveton
 * Laural Boylen.

Technology Discussed/Considered: OpenID & OAuth

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

OpenID and OAuth flows are confusing to users if you have to do both of them at once. This session is about how we can combine the OpenID & OAuth flows to combine authorization and authentication in fewer steps to help enhance usability. This is doing what "Facebook Connect" does but with open protocols. MySpace will be doing exactly this (Max Engel in the crowd).

Use OpenID to embed the OAuth token while user is verifying their identity
 * this would be a much better user experience

Google has a proposal for the OpenID/OAuth extension for doing this
 * supports both OpenID and OAuth provider scenarios

Links on Googles work on this:
 * Google OAuth & Federated Login Research
 * Usability research on federated login

Phase one is having to write a lot of this code against multiple sites; Yahoo, Google, MySpace, Facebook and others. This will pave the way to protocols and ways to automatically discover API's and how to get at things like friends, calendar, etc.

Joseph Smarr is doing the OpenID/OAuth flow on the white-board -> get pic on flickr

1. Consumer key - "unregistered consumers" 2. Require token reuse? 3. Desktop/mobile 4. Stateless RP's 5. Scope 6. SP create req_token during consent?

Do we need to support request tokens for anything but desktop clients? Web clients don't need it.

Today, OpenID and OAuth require several round-trips. This combined approach eliminates many of those round-trips.

EHL: why not have OpenID most of the heavy lifting for this? David Recordon: RP's are not using stateless mode, its a fallback mode. check_authentication needs to be there for sure.

Joseph offers up the idea of removing several of the steps in the OpenID + OAuth transaction knowing that we may be sacrificing some security for the user.

Session results:
 * Still need to answer if we continue to use the req_token ... this is for unregistered RP's
 * Read the hybrid protocol and participate in the OpenID working group on this
 * New draft coming out with potential changes based on these discussions


 * How do we get this moving forward?
 * What do we need for library support?
 * Who is going to launch with this?