Then why aren't people using this instead of (mis)using OAuth for this?
Different question, if we do define AC4 will people move to that, or continue
doing the wrong thing anyway?
On Thursday, July 24, 2014 8:57 AM, Nat Sakimura <sakim...@gmail.com> wrote:
2014-07-24 10:30 GMT-04:00 Phil Hunt <phil.h...@oracle.com>:
I’m not at all saying that OpenID is bad. If you want an IDP, its fine. But if
all a client wants is authentication, they think why can’t I just use RFC6749?
If all what one wants is to build a simple client, there is a standing document
called OpenID Connect Basic Client Implementer's Guide 1.0.
It is a profile that deals only the 'code' flow.
Size-wise, it is 32 pages. The break down are as below approximately:
Abstract, Intro, ToC - 2.5 pages
Terminology - 1.5 pages
Getting ID Token - 9 pages
ID Token Validation - 1 page (Seems missing from a4c draft?)
Userinfo Endpoint - 7 pages
Serializations - 1 page (missing in a4c?)
String Operations etc. - 1 pages (missing in a4c?)
Considerations - 2 pages (very brief in a4c)
References, Acknowledgement - 2 pages
Document History etc. - 7 pages
The a4c draft is 14 pages long. It will be longer than this in the end as it is
missing bunch of things.
The comparable portion of the Basic Client Profile is 14 pages or so.
Just one data point.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
