[Ur] The right way to do federated login in 2015?

Sergey Mironov grrwlf at gmail.com
Fri Nov 6 15:39:21 EST 2015 

Hi. Just want to add some information to the thread. I once wrote
OAuth2 _client_ in Haskell (for VKHS library). From RFC [1] I've
learned that 1) OAuth2 is hard. 2) There are different authentication
procedures defined in this standard 3) The easiest one to code (at
least, for the client side) is called 'Implicit grant', section 4.2.

So if one think about separating the big task into smaller parts I
would suggest to begin with implementation of Implicit grant part of
OAuth2.

Regards,
Sergey

[1] -  http://tools.ietf.org/html/rfc6749

2015-11-06 22:55 GMT+03:00 Adam Chlipala <adamc at csail.mit.edu>:
> Another potential direction is to stick with the plain old OAuth protocol,
> which allows outsourcing authentication to one or more services that you
> list up front.  I talked to a local expert on distributed authorization, and
> he said that what I've described (plus a rarely used OpenID option) is the
> de facto standard on the web today.
>
> For instance, with just OAuth, it's easy to bring up a service that does all
> authentication via GitHub accounts.
>
>
> On 10/22/2015 11:02 AM, Adam Chlipala wrote:
>
> On 10/21/2015 05:12 AM, Eran Meir wrote:
>
> From what I read, the two main alternatives for identity management are OIDC
> (OpenID Connect) and SAML.
> [...]
>
> If I had to risk a guess I would say OIDC will gradually replace SAML (or a
> new system will replace both?), so I suggest supporting OIDC.
>
> OIDC is basically OAuth2.0 + JWT. A gradual implementation approach may be
> supporting those building blocks as Ur/Web libraries first.
>
>
> OK, this seems like the most positive recommendation so far, in terms of a
> concrete "standard" that is in use by key players today.
>
> Is anyone interested in taking the lead in developing a library?
>
> I'm motivated enough about at least the OAuth part, as I want to use it for
> a web app, aimed at developers, to do login with GitHub credentials.  So, I
> expect that bit would get done by early 2016, even if no one else
> volunteers.  JWT/OIDC would be a lower priority, but sounds appropriate for
> apps targeting broader audiences.
>
> However, I would be very glad to see someone else taking the lead on an
> open-source Ur/Web library that handles all the credible enough
> authentication protocols.  The existing OpenID library could be a good
> inspiration:
>     http://hg.impredicative.com/openid
> [Presumably that original OpenID protocol is no longer worth supporting.]
>
> Any takers?
>
>
> _______________________________________________
> Ur mailing list
> Ur at impredicative.com
> http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
>

More information about the Ur mailing list