[Python-Dev] Offtopic: OpenID Providers
Toshio Kuratomi
a.badger at gmail.com
Thu Sep 5 20:33:47 CEST 2013
On Thu, Sep 05, 2013 at 10:25:22PM +0400, Oleg Broytman wrote:
> On Thu, Sep 05, 2013 at 02:16:29PM -0400, Donald Stufft <donald at stufft.io> wrote:
> >
> > On Sep 5, 2013, at 2:12 PM, Oleg Broytman <phd at phdru.name> wrote:
> > > I used to use myOpenID and became my own provider using poit[1].
> > > These days I seldom use OpenID -- there are too few sites that allow
> > > full-featured login with OpenID. The future lies in OAuth 2.0.
> >
> > The Auth in OAuth stands for Authorization not Authentication.
>
> There is no authorization without authentication, so OAuth certainly
> performs authentication: http://oauth.net/core/1.0a/#anchor9 ,
> http://tools.ietf.org/html/rfc5849#section-3
>
Sortof.... The way OAuth looks to me, it's designed to prove that a given
client is authorized to perform an action. It's not designed to prove that
the given client is a specific person. In some cases, you really want to
know the latter and not merely the former. So I think in these situations
Donald's separation of Authz and Authn makes sense.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130905/d6c3e7f9/attachment.sig>
More information about the Python-Dev
mailing list