Friday, May 25, 2012
Thursday, May 10, 2012
Over simplified graphical representation of OpenID Connect
The OAuth 2.0 authz code grant type defines how to use the browser to get an access token (blue) from the AS to the Client. The OAuth bearer spec defines how to then use that token on API calls to arbitrary endpoints.
OpenID Connect layers new pieces on top - the new ID_token and the UserInfo endpoint (both in orange). As before, the client (normally) leverages the browser as the means to obtain tokens.
The Client consumes the ID_token and creates a session based on it. The Client uses the access token to call both the UserInfo and other API endpoints.
Wednesday, May 02, 2012
Paul Madsen continues with Ping Identity’s Office of the CTO
Identity Management Expert Paul Madsen continues with Ping Identity’s Office of the CTO
Respected Identity Advocate to Help Develop and Evangelize Next Generation of Standards Including OpenID Connect and OAuth
Ping Identity®,
The Cloud Identity Security Leader™, today announced that Paul Madsen
will remain in the company’s Office of the CTO as senior technical
architect. In this role, he will continue to develop and evangelize the
next generation of identity standards include OpenID Connect and OAuth.
“An
active and well-respected member of the Identity community, Paul brings
an in-depth understanding of interoperability and open standards to our
team,” said Patrick Harding, CTO of Ping Identity. “This expertise
directly aligns with Ping Identity’s standards-based approach to solving
complex identity management challenges and makes him a natural fit for
our expanding team.”
Thursday, April 26, 2012
A taxonomy of confusion
Axel Nennker pointed out on Twitter an OpenID implementation between Amazon & MyHabit.com.
A screenshot of the login page
A screenshot of the login page
My first reaction was that this was an example of the password
anti-pattern, ie the user is being asked by MyHabit.com to present their
Amazon credentials.
Axel pointed out to me that this was actually an Amazon page and not a MyHabit page, but branded to look like a MyHabit page - in Axel's words
So it's not password anti-pattern, because MyHabit never sees the user's credentials.
But it is, to my mind, misleading, because the MyHabit branded login page may make it feel to a user like they are presenting their Amazon password to MyHabit.
It's not password anti-pattern, its the 'anti password anti-pattern'.
A taxonomy is called for
Saturday, April 21, 2012
Thursday, April 19, 2012
Wednesday, March 21, 2012
Holy sh&t, this stuff is real
Logged into my Ping WebEx on Android without presenting my Ping credential to anybody but Ping.
Screenshots follow
Instead of authenticating directly to the client, I select 'Sign in through your corporate website'
I knew this from URLs
I'm in. Now I can avoid meetings with @weeunquietmind even when mobile!!
Screenshots follow
Instead of authenticating directly to the client, I select 'Sign in through your corporate website'
I knew this from URLs
I even got my first password attempt wrong - this is no cardboard demo!!
I'm in. Now I can avoid meetings with @weeunquietmind even when mobile!!
Subscribe to:
Posts (Atom)