ForbesLindesay
commented
10 years ago Security wise, wouldn't it make more sense to stick with the persona approach here. I.e. the IDP publishes a public key and signs the identity with a corresponding private key. This signed token is then provided for verification by the web service.
Then if anything goes wrong, all you have to do is generate a new public/private key pair.
The spec in the current shape authenticates a user only by the GUID passed from the login provider to the web application. If this GUID is ever compromised (via malware, MitM, database leak, among others) there's no way for a user to revoke the GUID or generate a new one.