+1, after implementing OIDC I will support the claim that any SSO
protocol with a minimal set of required features smaller than OIDC is
insecure and any protocol with similar features but with different
parameter names is just creating confusion and will increase chances of
non-interoperable and insecure implementations
Hans.
On 6/12/14, 9:50 PM, Bill Burke wrote:
On 6/12/2014 12:49 PM, Prateek Mishra wrote:
The OpenID Connect 2.0 COre specification alone is 86 pages. It has
received review from maybe a dozen engineers within the OpenID community.
The OpenID Connect spec is 86 pages because it pretty much rehashes the
OAuth2 spec walking through each flow and how Open ID Connect expands on
that flow. A4c looks like a subset of this work minus some additional
claims and, IMO, is incomplete compared to OIDC.
FWIW, add 5 Red Hat engineers to the "dozen" of reviewers. We
originally were creating our own oauth2 extension using JWT, but found
that any feature we wanted to define already existed in OpenID Connect.
These guys have done great work. Aren't many of you here authors of
this spec and/or the same companies?!? I think your energies are better
focused on lobbying OIDC to join the IETF and this WG.
--
Hans Zandbelt | Sr. Technical Architect
hzandb...@pingidentity.com | Ping Identity
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
