Institute of Electrical & Electronic Engineers
Currently, the identity eco-system on the web is fragmented between a number of different flows for authorization with no standardized high-security authentication mechanism outside of usernames-passwords. Current identity solutions such as OpenID connect and BrowserID are on an abstract level just two different authorization flows that differ across a number of criteria such as privacy. The authors also detail a number of well-known attacks against each approach. So the "Client offline/server-to-server" authorization flow of the OAuth-based approach (OpenID Connect) is actually complemented by the "Online client-to-server" authorization flow from BrowserID, each being more or less effective depending on the particular use-case at hand.