Authorization using OpenID?

Drummond Reed drummond.reed at cordance.net
Fri Oct 13 10:07:59 PDT 2006


Carsten,

Authorization is not in the scope of OpenID Authentication 2.0; it handles
authN only. Once a relying party (RP) has authenticated a user against an
OpenID identifier (URL or XRI), the RP must then apply their own choice of
authorization infrastructure.

As the OpenID spec "stack" grows, incorporation of authZ standards may fall
into the scope of higher-level specifications. For example, the OASIS XDI
(XRI Data Interchange) Technical Committee
(http://en.wikipedia.org/wiki/XDI) is working on a portable authZ format
called XDI link contracts (http://en.wikipedia.org/wiki/Link_contract), but
(as co-chair of that TC), I don't expect the formal specs until next spring.

You may also want to check out the XACML (Extensible Access Control Markup
Language - http://en.wikipedia.org/wiki/XACML) standard from OASIS as a tool
for creating and enforcing system-independent access control.

=Drummond (i-name: =drummond.reed, http://xri.net/=drummond.reed) 


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of creimer at xs4all.nl
Sent: Friday, October 13, 2006 12:31 AM
To: general at openid.net
Subject: Authorization using OpenID?

Dear list,

I searched the mailing list archives for authorization issues and googled
for it, too. In the mailing list archives nothing was said about
authorization issues and the google results I found mainly pointed out
that OpenID is only for authentication purposes.

To clarify: Authorization in this context means to decide wether an
already authenticated user (e. g. by the OpenID-protocol) may use a
special ressource or not.

The intended use case:

With our company we would like to use OpenID to enable users to use
several applications with a signle sign on mechanism (like OpenID). But
not every user may use every application so we need some authorization
mechanism to distinguish the users who may from those who may not. Is that
something OpenID can do or help to do?

And if so, how can this authorization be achieved. I read through the
specs (v1 and v2) and did not find anything appropriate. Are the
properties introduce in v2 something that might help?

Thanks in advance for any hints, suggestions etc.

With kind regards

Carsten Reimer



_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general



More information about the general mailing list