Thanks, Bill - I certainly appreciate the comment from an implementor
who wasnt involved in the OIDC protocol design.
My understanding of the discussion around a4c is one of a minimalist
extension to OAuth, not a full-featured one like OIDC.
One concern I have heard expressed is that OIDC is so large and full
featured that most people just implement some
subset of their own choice. I believe this is the case with all the
large consumer web sites.
I would welcome the publication of a minimalist draft from OIDC to the
OAuth IETF. We have spent a lot of time lobbying for
this outcome! There is no question in my mind that the review within
IETF would be more comprehensive and expose the work
to a larger community.
- prateek
On 6/12/2014 12:49 PM, Prateek Mishra wrote:
The OpenID Connect 2.0 COre specification alone is 86 pages. It has
received review from maybe a dozen engineers within the OpenID
community.
The OpenID Connect spec is 86 pages because it pretty much rehashes
the OAuth2 spec walking through each flow and how Open ID Connect
expands on that flow. A4c looks like a subset of this work minus some
additional claims and, IMO, is incomplete compared to OIDC.
FWIW, add 5 Red Hat engineers to the "dozen" of reviewers. We
originally were creating our own oauth2 extension using JWT, but found
that any feature we wanted to define already existed in OpenID
Connect. These guys have done great work. Aren't many of you here
authors of this spec and/or the same companies?!? I think your
energies are better focused on lobbying OIDC to join the IETF and this
WG.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
