Note that there is a 2nd conference call schedule for this Thursday: http://www.ietf.org/mail-archive/web/oauth/current/msg13494.html
Participants: * Brian Campbell * Mike Jones * William Kim * John Bradley * John Mandel * Justin Richer Notes: The aim of the discussion here is to produce a short write-up about problems seen in real-world deployments where OAuth was used for authentication. It is not a goal to discuss the work on new specifications. Justin mentioned that we could put the write-up on oauth.net The outcome of such a write-up could be two-fold, namely * to make folks aware about OpenID Connect, and * to give recommendations for those who want to create their own authentication mechanism based on OAuth We discussed the content of the write-up and the conference call participants thought it would be useful to use case studies of what can go wrong and Facebook was repeatedly mentioned as a source for such stories. An example of a common mistake is to assume that receiving an OAuth access token implies that the user was authenticated recently. It turns out that Justin as well as John had written blog posts about this topic already and Justin volunteered to produce a strawman proposal by this Thursday to have text for the group to look at. Hannes encouraged everyone to send him other blog posts and examples of failed attempts to use OAuth for authentication.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
