[Ur] The right way to do federated login in 2015?

Eran Meir eranmeir at gmail.com
Wed Oct 21 05:12:10 EDT 2015 

>From what I read, the two main alternatives for identity management are OIDC
<https://en.wikipedia.org/wiki/OpenID_Connect>(OpenID Connect) and SAML
<https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>.

OIDC, the 3rd version of OpenID is apparently more API-friendly than
previous versions and is backed up by some big names like Google, Yahoo,
Microsoft, etc.

SAML is more prevalent in the enterprise world, but doesn't play nice with
native (esp. mobile) applications.

If I had to risk a guess I would say OIDC will gradually replace SAML (or a
new system will replace both?), so I suggest supporting OIDC.

OIDC is basically OAuth2.0 + JWT
<https://en.wikipedia.org/wiki/JSON_Web_Token>. A gradual implementation
approach may be supporting those building blocks as Ur/Web libraries first.


Best regards,
Eran.


On Tue, Oct 20, 2015 at 3:56 PM, Adam Chlipala <adamc at csail.mit.edu> wrote:

> For a long time, I've been bothered by the idea that every person should
> have a separate account with a separate password on every web service that
> he uses.  I'm not the only one who's been bothered, and a variety of
> federated login approaches have been proposed, where one account can be
> used to log into every compliant service, using cryptography to do it all
> without allowing services to impersonate their users to other services.  In
> 2010, OpenID seemed like a winner among the protocols out there, so I
> implemented an Ur/Web library for it.
>
> These days, it seems that OpenID has really failed.  I see options like
> OAuth for, e.g., letting users log into a developer-centric service with
> GitHub credentials.
>
> I'm writing to ask the list: is there one obvious federated login protocol
> that seems to be "winning" today, such that it might be worth implementing
> as an open-source Ur/Web library?  If so, is anyone interested in getting
> involved with building that library?
>
> _______________________________________________
> Ur mailing list
> Ur at impredicative.com
> http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20151021/680ed2e1/attachment.html>

More information about the Ur mailing list