On 6/13/2014 11:46 AM, Prateek Mishra wrote:
Thanks, Bill - I certainly appreciate the comment from an implementor who wasnt involved in the OIDC protocol design. My understanding of the discussion around a4c is one of a minimalist extension to OAuth, not a full-featured one like OIDC. One concern I have heard expressed is that OIDC is so large and full featured that most people just implement some subset of their own choice. I believe this is the case with all the large consumer web sites. I would welcome the publication of a minimalist draft from OIDC to the OAuth IETF. We have spent a lot of time lobbying for this outcome! There is no question in my mind that the review within IETF would be more comprehensive and expose the work to a larger community.
I don't think a minimalist draft of OIDC is needed as many of the extensions are optional. Our implementation was already Oauth2/JWT based and it was really easy to meet the minimal requirements of OIDC core.
To create competing standards at IETF just because OIDC is not part of IETF, IMO, is a disservice to the community.
-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
