[OpenID] Leveraging OpenID Server Infrastructure to support OAuth

[Pat Cappelaere]

I have some "disadvantaged" service providers out there that would  
like to implement OAuth.
My users will have an OpenID and are familiar with the concept of  
authorizing "Sites".
OpenID servers such as MyOpenID, VIDOOP... have a great infrastructure  
to request user authorization (email, sms, voice...).

Couldn't we leverage that infrastructure to speed up OAuth acceptance?  
[and help those SP do a better job]

It appears, on the surface, that if that service provider (SP)  
receiving an OAuth request from an application consumer (AC) on behalf  
of a user with an openid, that SP could go back to the openid server  
and request user authorization for AC to act on users' behalf with a  
immediate or setup request using the realm as the AC url.  The problem  
is that the server is going to return a trust_root error to avoid a  
phishing attack.

I am wondering if that error isn't too strict and a better behavior  
would be for the server to tell the user that an authorization is  
requested by SP to allow AC to act on his behalf?

This would now give the user a single place to manage grant access for  
sites or applications with no other change to server.

[Another way would be for the SP to check the OP if AC has been  
authorized by user but this might present some other security concerns]

Thanks,


Pat.