OpenID Connect & OAuth

Imaging you found a great deal on Groupon and you wanna share it to all your facebook friends. What might happen now?

In the old world, the most possible thing that would happen is: a Facebook login window pops up. After you log in, Groupon would access your Facebook friend list and send this deal to your friends.

Handing over your Facebook credentials to Groupon and let Groupon do the work looks straightforward, but privacy risks hide behind it. Will the credentials be safe in Groupon’s database? Will it be used by other organizations? Will Groupon use the credential to access not only your friend list, but also the other resources? Even after you are aware of those risks, there’s no way to revoke your authorizations unless you change your Facebook passwords.

Now, can we introduce a new user flow that does authorization for us, but secures our personal info?

The answer is Yes. In the new flow, except for resource provider (Facebook) and Client (Groupon), we have a new party — — auth provider.

Some requirements we wish the new flow could have:

• Resource provider & client can trust the auth provider