[Openid-specs-ab] To sign or to authenticate
sakimura at gmail.com
Wed May 26 15:15:18 UTC 2010
To make sure that the direct assertion request comes from
the correct client, we have two ways of doing it.
1) Authenticate the client using client_id and client_secret
2) Sign the request.
Option 1) is the course OAuth 2.0 is taking.
If we just use it, we do not need signed request format.
Down side of this option is that the client must
obtain and maintain the list of secret for each and every
Which would you think is better?
Nat Sakimura (=nat)
More information about the Openid-specs-ab