[Ur] The right way to do federated login in 2015?
Adam Chlipala
adamc at csail.mit.edu
Fri Nov 6 14:55:42 EST 2015
Another potential direction is to stick with the plain old OAuth
protocol, which allows outsourcing authentication to one or more
services that you list up front. I talked to a local expert on
distributed authorization, and he said that what I've described (plus a
rarely used OpenID option) is the de facto standard on the web today.
For instance, with just OAuth, it's easy to bring up a service that does
all authentication via GitHub accounts.
On 10/22/2015 11:02 AM, Adam Chlipala wrote:
> On 10/21/2015 05:12 AM, Eran Meir wrote:
>> From what I read, the two main alternatives for identity management
>> are OIDC <https://en.wikipedia.org/wiki/OpenID_Connect>(OpenID
>> Connect) and SAML
>> <https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>.
>> [...]
>>
>> If I had to risk a guess I would say OIDC will gradually replace SAML
>> (or a new system will replace both?), so I suggest supporting OIDC.
>>
>> OIDC is basically OAuth2.0 + JWT
>> <https://en.wikipedia.org/wiki/JSON_Web_Token>. A gradual
>> implementation approach may be supporting those building blocks as
>> Ur/Web libraries first.
>
> OK, this seems like the most positive recommendation so far, in terms
> of a concrete "standard" that is in use by key players today.
>
> Is anyone interested in taking the lead in developing a library?
>
> I'm motivated enough about at least the OAuth part, as I want to use
> it for a web app, aimed at developers, to do login with GitHub
> credentials. So, I expect that bit would get done by early 2016, even
> if no one else volunteers. JWT/OIDC would be a lower priority, but
> sounds appropriate for apps targeting broader audiences.
>
> However, I would be very glad to see someone else taking the lead on
> an open-source Ur/Web library that handles all the credible enough
> authentication protocols. The existing OpenID library could be a good
> inspiration:
> http://hg.impredicative.com/openid
> [Presumably that original OpenID protocol is no longer worth supporting.]
>
> Any takers?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20151106/684f3b61/attachment.html>
More information about the Ur
mailing list