[Ur] The right way to do federated login in 2015?

Adam Chlipala adamc at csail.mit.edu
Fri Nov 6 14:55:42 EST 2015


Another potential direction is to stick with the plain old OAuth 
protocol, which allows outsourcing authentication to one or more 
services that you list up front.  I talked to a local expert on 
distributed authorization, and he said that what I've described (plus a 
rarely used OpenID option) is the de facto standard on the web today.

For instance, with just OAuth, it's easy to bring up a service that does 
all authentication via GitHub accounts.

On 10/22/2015 11:02 AM, Adam Chlipala wrote:
> On 10/21/2015 05:12 AM, Eran Meir wrote:
>> From what I read, the two main alternatives for identity management 
>> are OIDC <https://en.wikipedia.org/wiki/OpenID_Connect>(OpenID 
>> Connect) and SAML 
>> <https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>.
>> [...]
>>
>> If I had to risk a guess I would say OIDC will gradually replace SAML 
>> (or a new system will replace both?), so I suggest supporting OIDC.
>>
>> OIDC is basically OAuth2.0 + JWT 
>> <https://en.wikipedia.org/wiki/JSON_Web_Token>. A gradual 
>> implementation approach may be supporting those building blocks as 
>> Ur/Web libraries first.
>
> OK, this seems like the most positive recommendation so far, in terms 
> of a concrete "standard" that is in use by key players today.
>
> Is anyone interested in taking the lead in developing a library?
>
> I'm motivated enough about at least the OAuth part, as I want to use 
> it for a web app, aimed at developers, to do login with GitHub 
> credentials.  So, I expect that bit would get done by early 2016, even 
> if no one else volunteers.  JWT/OIDC would be a lower priority, but 
> sounds appropriate for apps targeting broader audiences.
>
> However, I would be very glad to see someone else taking the lead on 
> an open-source Ur/Web library that handles all the credible enough 
> authentication protocols.  The existing OpenID library could be a good 
> inspiration:
> http://hg.impredicative.com/openid
> [Presumably that original OpenID protocol is no longer worth supporting.]
>
> Any takers?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20151106/684f3b61/attachment.html>


More information about the Ur mailing list