OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Breno de Medeiros breno at
Fri Nov 14 04:32:17 UTC 2008

I changed my mind on this one.

A. The fact that scopes are not standardized in OAuth today does not
mean that in the future *some* scopes (e.g., related to portable
contacts) may be standardized.

B. The consumer key is an intrinsic identifier of the party requesting
association and probably should be included, with the realm, in the
association request (if available).

There is no need, however, to include any additional information in
the authentication request. The consumer key can be bound to the
association handle.

On Thu, Nov 13, 2008 at 6:43 PM, Allen Tom <atom at> wrote:
> In the future, we might update our OAuth service to allow developers to pass
> us the scope dynamically, rather than binding the scope to the CK. However,
> we'd still probably require developers to agree to a TOS in order to get a
> CK/CS.
> I'm concerned about having to tell developers to pass the CK via the scope
> parameter for the first revision, and then later telling them that scope
> parameter actually means the scope. I'd like to have one parameter (possibly
> optional) that means CK, and another parameter (also optional) that means
> Scope. Overloading a single parameter can get really messy in the long run.
> Allen
> Breno de Medeiros wrote:
>> Ok, but what is wrong for you to instruct the developers to insert the
>> consumer_key in the scope parameter, and they bind it to the approved
>> request token?


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list