[Ur] The right way to do federated login in 2015?

Adam Chlipala adamc at csail.mit.edu
Thu Oct 22 11:02:23 EDT 2015


On 10/21/2015 05:12 AM, Eran Meir wrote:
> From what I read, the two main alternatives for identity management 
> are OIDC <https://en.wikipedia.org/wiki/OpenID_Connect>(OpenID 
> Connect) and SAML 
> <https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>.
> [...]
>
> If I had to risk a guess I would say OIDC will gradually replace SAML 
> (or a new system will replace both?), so I suggest supporting OIDC.
>
> OIDC is basically OAuth2.0 + JWT 
> <https://en.wikipedia.org/wiki/JSON_Web_Token>. A gradual 
> implementation approach may be supporting those building blocks as 
> Ur/Web libraries first.

OK, this seems like the most positive recommendation so far, in terms of 
a concrete "standard" that is in use by key players today.

Is anyone interested in taking the lead in developing a library?

I'm motivated enough about at least the OAuth part, as I want to use it 
for a web app, aimed at developers, to do login with GitHub 
credentials.  So, I expect that bit would get done by early 2016, even 
if no one else volunteers.  JWT/OIDC would be a lower priority, but 
sounds appropriate for apps targeting broader audiences.

However, I would be very glad to see someone else taking the lead on an 
open-source Ur/Web library that handles all the credible enough 
authentication protocols.  The existing OpenID library could be a good 
inspiration:
     http://hg.impredicative.com/openid
[Presumably that original OpenID protocol is no longer worth supporting.]

Any takers?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20151022/2f5508d7/attachment.html>


More information about the Ur mailing list