OpenID is an identity management system. It allows users to authenticate to
one site using another site as their identity. A use case for this is, for
example, using your Facebook account to log in to Wikipedia. This may be
useful, as it would allow users to more easily register for Wikipedia.
OAuth is a third-party authentication and authorization system that allows
outside applications to do stuff on behalf of a user. The reason for this
is because currently toolserver applications, etc. authenticate to
Wikipedia using a plaintext username and password, which is extremely
insecure for a number of reasons I will not elaborate on here.
*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
| tylerromeo(a)gmail.com
On Mon, Aug 27, 2012 at 9:52 AM, Gerard Meijssen
<gerard.meijssen(a)gmail.com>wrote;wrote:
Hoi,
I have re-read the Wikipedia article about OpenID and OpenAuth.
OpenAuth while nice in many ways is NOT the same as OpenID. User
authentication is one easy and obvious requirement and I have already said
too much about its need.
It is NOT clear at all to me why OpenAuth should be regarded over OpenID.
The use case for OpenID is obvious. In contrast the case for OpenAuth is
not clear at all. What practical things will it solve?
Thanks,
GerardM
On 27 August 2012 01:48, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
If there are issues with the old standard, there is no significant
advantage to use of the old spec (besides the case that it already
exists,
> etc...), and you are intending to actually use the standard rather than
> just throw it out for people to use. Then that's really a valid
situation
to write
a new standard in.
But the problem is that "it already exists" is in fact a valid reason to
use a protocol. There are numerous libraries out there (including a PHP
extension) that allow people to use OAuth to authenticate with services.
Making our own protocol just makes it more difficult for application
developers since, in addition to developing their application, they have
to
make their own client side functionality to
fulfill our custom protocol.
Furthermore, as I said before, OAuth 1 isn't bad. It provides for secure
authentication and authorization of the client while protecting against
replay attacks. Furthermore, I'd like to at least put some faith in the
IETF, considering they are quite intelligent people, and not just toss
out
their protocol because it isn't
"perfect" (quotes are intentional). If
somebody wants to go ahead and make an extension for a custom
authentication protocol, feel free to do so, but I still believe OAuth
support should be our ultimate goal in terms of third-party application
security.
*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
On Sun, Aug 26, 2012 at 2:38 PM, Amir E. Aharoni <
amir.aharoni(a)mail.huji.ac.il> wrote:
> 2012/8/26 Mark A. Hershberger <mah(a)everybody.org>rg>:
> > On 08/24/2012 01:33 PM, Nabil Maynard wrote:
> >> - Persona: Previously called BrowserID. It's come a LONG way in
the
> past
> >> few months, and provides another fairly clean
identity/authentication
> system.
As a bonus, there is already a BrowserID extension for Bugzilla that
Mozilla is using. Maybe integrating MW and BrowserID would solve the
identity problem in Bugzilla.
+[[Crore]].
--
Amir Elisha Aharoni · אָמִיר אֱלִישָׁע אַהֲרוֹנִי
http://aharoni.wordpress.com
“We're living in pieces,
I want to live in peace.” – T. Moore
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l