[OpenID] [oauth] Replacing email verification with RSS 'push' feeds and OAuth

Allen Tom atom at yahoo-inc.com
Mon Apr 6 18:51:34 UTC 2009

Hi Andrew,

I really like the idea of an OAuth protected messaging service that 
protects the user's inbox from spam, and allows users to selectively 
authorize (and revoke) permission for 3rd parties to send messages to 
them. This is exactly why Facebook messaging is free of spam.

As George has mentioned, this will take awhile time to roll out, but it 
would certainly make sense to move forward on this.

However, a huge gotcha is that many RPs require your email address for 
more than just messaging purposes:

For instance, if the user needs to contact the RP out of band (the RP is 
an online merchant, and the user needs to email or telephone the 
merchant regarding an order) the user will have no way to identify 
himself to the merchant, unless the merchant has the user's verified 
email address. The Googlers on this list might have a bit more to say 
about this scenario regarding their experience with Google Checkout.

On a related note, social networking sites want users to connect with 
each other, and the best way for a user to find someone that they know 
is to search based on email addresses. This is why all decently sized 
social networking sites ask to import your address book from your mail 
provider to help you find your friends in your address book who are also 
using the site.


Andrew Arnott wrote:
> Proposed solution:
>    1. When a user logs into an RP using an OpenID, the RP performs
>       discovery on the user's XRDS document and discovers a service
>       element for push notifications that includes the URI to receive
>       the messages the RP wishes to send to the user.  This element
>       also includes information the RP needs to use OAuth for
>       authorization to send to this message queue.
>    2. During authentication (if the OP is also providing the message
>       queue service for the user) or immediately following
>       authentication (if the user is using a separate message queuing
>       service), the RP sends an OAuth message to the queuing SP
>       requesting authorization to post messages to this user.  The
>       user is directed to a web page explaining the RP wants to send
>       messages and clicks "Accept".
>    3. The user is now logged into the RP.
> When the RP wants to send messages to the user, it POSTs to the 
> queuing SP using its OAuth token.
> The user receives these messages in a manner previously configured 
> with his queuing SP, which will typically be via email forwarding to 
> his inbox.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090406/423dac9b/attachment.htm>

More information about the general mailing list