[OpenID] My 2 Cents to the OpenID foundation
mart at degeneration.co.uk
Thu Apr 2 18:04:56 UTC 2009
Luke Shepard wrote:
> The core OpenID spec doesn’t by itself provide a lot of data – just an
> identifier. I was able to log in with an OpenID identifier using the
> Myspace endpoint without pre-registration using the generic PHP Janrain
> library. Of course, to access extended information using OAuth, you need
> to pre-register, but that is entirely within both the letter and the
> spirit of the OpenID and OAuth specs.
> From the OAuth spec, section 4.2:
> “The Service Provider’s responsibility is to enable Consumer Developers
> to establish a Consumer Key and Consumer Secret. The process and
> requirements for provisioning these are entirely up to the Service
> This highlights the fact that in order to build a truly useful stack, we
> need to extend the core specs to allow for more data flow. The
> OpenID/OAuth hybrid is a great example of the kind of work that’s going
> on to enable that.
That's interesting. I tried MySpaceID a few moments ago on a few
different sites (TypePad, Jyte, LJ... don't remember the full list) and
all of them returned various failures.
I figured this was because the sites hadn't followed the steps on this
But I was just guessing.
Incidentally, I've recently been experimenting with a different
OpenID/OAuth hybrid (complementary rather than competing) which allows
an OAuth token and secret to be used in place of an ad-hoc association
in an OpenID transaction, thus allowing the OpenID provider to
authenticate the calling application and allowing the consumer to skip
the association step.
Ad-hoc association seems redundant in OAuth preregistration scenarios
where a shared secret has already been established out-of-band. I'm just
prototyping right now, though... I just wanted to throw that out there
while we're on the subject.
More information about the general