[OpenID] My 2 Cents to the OpenID foundation

Martin Atkins mart at degeneration.co.uk
Thu Apr 2 18:04:56 UTC 2009

Luke Shepard wrote:
> The core OpenID spec doesn’t by itself provide a lot of data – just an 
> identifier. I was able to log in with an OpenID identifier using the 
> Myspace endpoint without pre-registration using the generic PHP Janrain 
> library. Of course, to access extended information using OAuth, you need 
> to pre-register, but that is entirely within both the letter and the 
> spirit of the OpenID and OAuth specs.
>  From the OAuth spec, section 4.2:
> “The Service Provider’s responsibility is to enable Consumer Developers 
> to establish a Consumer Key and Consumer Secret. The process and 
> requirements for provisioning these are entirely up to the Service 
> Providers.”
> This highlights the fact that in order to build a truly useful stack, we 
> need to extend the core specs to allow for more data flow. The 
> OpenID/OAuth hybrid is a great example of the kind of work that’s going 
> on to enable that.

That's interesting. I tried MySpaceID a few moments ago on a few 
different sites (TypePad, Jyte, LJ... don't remember the full list) and 
all of them returned various failures.

I figured this was because the sites hadn't followed the steps on this 
wiki page:

But I was just guessing.

Incidentally, I've recently been experimenting with a different 
OpenID/OAuth hybrid (complementary rather than competing) which allows 
an OAuth token and secret to be used in place of an ad-hoc association 
in an OpenID transaction, thus allowing the OpenID provider to 
authenticate the calling application and allowing the consumer to skip 
the association step.

Ad-hoc association seems redundant in OAuth preregistration scenarios 
where a shared secret has already been established out-of-band. I'm just 
prototyping right now, though... I just wanted to throw that out there 
while we're on the subject.

More information about the general mailing list