OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at
Tue Nov 18 00:31:38 UTC 2008

Sadly, because the OpenID authentication request is not signed, the CK 
can't be authenticated, but as you pointed out, although the user may 
authorize the application, the CK secret is still required to fetch the 
credentials. The worst that could happen is that a user will authorize 
an impostor, but the impostor will not be able to retrieve the token.

That being said, in our case, the CK contains additional information 
besides the scope. Yahoo's OAuth Permissions screen contains a lot of 
rich information including the application's name, description, 
developer(s), images, authorization lifetimes, etc. Over time, new 
fields may be added to the approval page.

While it might make sense for the application's scope to be passed in at 
authorization time, does it also make sense to define new parameters for 
all the other application specific metadata? The actual data that needs 
to be displayed on an approval page is very SP specific, and some SPs 
may have security/legal policies requiring that all metadata is manually 
reviewed, which makes it impossible for metadata to be passed in at runtime.

So that's why SPs may need the CK in order to display the Approval page. 
Make sense?


Dirk Balfanz wrote:
> Need to know the CK for what? What purpose would hinting at the CK 
> serve (since it wouldn't prove ownership)? And don't say "scope" :-)

More information about the specs mailing list