OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Allen Tom
atom at yahoo-inc.com
Wed Dec 3 19:31:59 UTC 2008
Hi Martin,
The intent is to be able to identify applications which were not
deliberately designed to be malicious. Well designed malicious apps
would piggy back off of another app's CK or just cycle through a list of
CKs to evade detection.
However, there have been occasions where legitimate apps behave
strangely, and we'd like to be able to contact the developer of the app
for more information. Having the CK present in the server logs makes it
a lot easier for us to diagnose problems on our side, especially if
we're able to use the CK to look up information about the app and its
developer.
We've also seen apps that are well intentioned, but extremely buggy.
It's very helpful to be able to easily identify requests originating
from these apps if we need to disable them.
Allen
Martin Atkins wrote:
> If I make a dangerous app using the consumer key from a popular
> application, would you black list that key and inconvenience all of its
> users?
>
> (I doubt it.)
>
>
More information about the specs
mailing list