{"id":15292,"date":"2018-02-14T21:45:32","date_gmt":"2018-02-14T20:45:32","guid":{"rendered":"https:\/\/notiz.blog\/?p=15292"},"modified":"2021-07-29T15:17:27","modified_gmt":"2021-07-29T13:17:27","slug":"openid-connect-federation","status":"publish","type":"post","link":"https:\/\/notiz.blog\/2018\/02\/14\/openid-connect-federation\/","title":{"rendered":"OpenID Connect Federation"},"content":{"rendered":"\n<p>Irgendwann letzte oder vorletzte Woche ist die \u00dcberschrift &quot;OpenID Connect Federation 1.0 &#8211; draft XX&quot; in meinem Feed-Reeder aufgetaucht und auf Buzz-Words wie <strong>Federation<\/strong> o. \u00c4. springe ich nat\u00fcrlich immer noch sofort auf!<\/p>\n\n\n\n<p>Spezifikationen lesen, macht ja generell nicht viel Spa\u00df, aber bei der <em><a href=\"http:\/\/openid.net\/specs\/openid-connect-federation-1_0.html\"><strong>OpenID Connect Federation 1.0<\/strong><\/a><\/em> kam ich nicht mal bis zur H\u00e4lfte. Bevor man wirklich versteht was das Protokoll eigentlich macht (f\u00fcr mich h\u00f6rt es sich \u00e4hnlich an wie <a href=\"https:\/\/openid.net\/specs\/openid-connect-registration-1_0.html\"><strong>OpenID Connect Dynamic Client Registration<\/strong><\/a>), geht es um Metadaten, <a href=\"https:\/\/tools.ietf.org\/html\/rfc7515\">JSON Web Signature (JWS)<\/a>, JSON Web Tokens (JWT) und <a href=\"https:\/\/tools.ietf.org\/html\/rfc7517\">JSON Web Keys (JWK)<\/a>.<\/p>\n\n\n\n<p>Eigentlich dachte ich, dass <em>OpenID Connect<\/em> durch <em>OAuth 2<\/em> super simpel sein soll&#8230; Immerhin basiert ja <em>OAuth 2<\/em> auf SSL\/TLS und nicht wie <em>OAuth 1<\/em> auf komplizierte Signaturen.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n    <p>The majority of failed OAuth 1.0 implementation attempts are caused by the complexity of the cryptographic requirements of the specification. The fact that the original specification was poorly written didn\u2019t help, but even with the newly published <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc5849\">RFC 5849<\/a>, OAuth 1.0 is still not trivial to use on the client side. The convenient and ease offered by simply using passwords is sorely missing in OAuth.<\/p><cite><a href=\"https:\/\/web.archive.org\/web\/20100518100352\/http:\/\/hueniverse.com\/2010\/05\/introducing-oauth-2-0\/\">Eran Hammer<\/a><\/cite><\/blockquote>\n\n\n\n<p>Die OpenID Foundation scheint ihre Meinung ge\u00e4ndert zu haben&#8230; SSL scheint wohl doch nicht auszureichen.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n    <p>Another problem that has been raised is the dependency on TLS as the sole protection against attacks on the transferred information. These last couple of years a number of problems with OpenSSL, which is probably the most widely used TLS library, have been discovered that put reasonable doubt into this dependency.<\/p><cite><a href=\"https:\/\/openid.net\/specs\/openid-connect-registration-1_0.html\">OpenID Connect Dynamic Client Registration<\/a><\/cite><\/blockquote>\n\n\n\n<p>Schade, schade&#8230;<\/p>\n\n\n\n<p>Wer eine wirkliche Alternative zu <em>OpenID Connect<\/em> sucht, der soll sich mal <a href=\"https:\/\/www.w3.org\/TR\/indieauth\/\"><strong>IndieAuth<\/strong><\/a> anschauen. <strong>IndieAuth<\/strong> kommt der urspr\u00fcnglichen Idee von <a href=\"https:\/\/web.archive.org\/web\/20100609191041\/http:\/\/openidconnect.com:80\/\"><em>OpenID Connect<\/em><\/a> sehr nahe und ist relativ einfach zu verstehen und auch zu implementieren!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Irgendwann letzte oder vorletzte Woche ist die \u00dcberschrift &quot;OpenID Connect Federation 1.0 &#8211; draft XX&quot; in meinem Feed-Reeder aufgetaucht und auf Buzz-Words wie Federation o. \u00c4. springe ich nat\u00fcrlich immer noch sofort auf! Spezifikationen lesen, macht ja generell nicht viel Spa\u00df, aber bei der OpenID Connect Federation 1.0 kam ich nicht mal bis zur H\u00e4lfte. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"webmentions_disabled_pings":false,"webmentions_disabled":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[2],"tags":[1050,1004,992,423,873],"class_list":{"0":"post-15292","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-web","7":"tag-federation","8":"tag-indieauth","9":"tag-indieweb","10":"tag-openid","11":"tag-openid-connect","12":"h-entry","13":"hentry"},"_links":{"self":[{"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/posts\/15292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/comments?post=15292"}],"version-history":[{"count":2,"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/posts\/15292\/revisions"}],"predecessor-version":[{"id":21566,"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/posts\/15292\/revisions\/21566"}],"wp:attachment":[{"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/media?parent=15292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/categories?post=15292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/notiz.blog\/wp-api\/wp\/v2\/tags?post=15292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}