OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at yahoo-inc.com
Mon Nov 17 20:08:28 UTC 2008


Dirk Balfanz wrote:
>
> So, again, the proposal seems to be to embed a hint to the consumer 
> key into the association request (which will then be threaded through 
> the association handle into the auth request). This doesn't buy us any 
> additional security, it just hints at what scope the consumer is 
> allowed to request (for those SPs that encode scope in consumer keys) 
> - the security is provided later in the access token request step.
>
It's unfortunate that the OpenID Authentication request isn't signed, 
because if it was signed, it would be nearly equivalent to OAuth, 
because an OAuth approval page is only displayed using a valid Request 
Token that was returned via a signed request.

> Now, my argument is that we already _have_ a place to signal scope. 
> It's the openid.oauth.scope parameter.

Yes, but as Breno said, the OAuth spec does not currently have a concept 
of scope, however, the Consumer Key is definitely part of the spec. It 
would seem to be more generally useful for a Consumer to signal Consumer 
Key, rather than signaling scope, as many SPs need to know the CK, but 
not all of them will need to know the scope. That being said, the CK and 
Scope should just be 2 separate parameters.



> If you don't want to put consumer keys there, let consumers put some 
> other encoding of the scope there.
I have no problem with having an optional parameter for CK, and a 
different optional parameter for scope. 

Allen





More information about the specs mailing list