[Openid-specs-ab] Direct Request Authentication

Nat Sakimura sakimura at gmail.com
Fri May 28 01:40:12 UTC 2010


In Draft07, I might have overdone a little about the direct assertion
request authentication.

I wrote it as:

8.1.5.  RP requests Assertion directly to the OP

To obtain the assertion through direct request, the RP MUST
authenticate against the OP. There are two ways of doing it, namely:

Through the use of client_secret
Through the use of asymmetric signature

It propbably shoud be SHOULD instead of MUST.

Like Yahoo!'s use case, provided the "code" has sufficient entropy and
short lived,
there are cases that you just want to submit the bearer token only to
get the result.

Nat Sakimura (=nat)

More information about the Openid-specs-ab mailing list