OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Manger, James H James.H.Manger at
Tue Nov 18 03:53:24 UTC 2008

Dirk, Allen, Brian, etc

How about sending an ‘unauthorized request token’ with the OpenID authentication request, instead of a scope or a consumer key?

A Service Provider can choose to encode the consumer key or scope into the request token when issuing it if they need those details when interacting with the user.

From the OAuth perspective there would be minimal change to the protocol. Instead of redirecting the user to the authorization URL (after adding the token), the user is redirected to the OP URL (after adding the token). That makes it easier to be confident that the hybrid model does not introduce new security weaknesses.

Ideally, an app would attempt to access a protected resource at an SP and get:
* A 401 Unauthenticated response from the SP; with
* A “WWW-Authenticate: OAuth” header; with
* A parameter providing the authorization URL; and
* Another parameter with the OP URL (when OpenID/OAuth hybrid was supported).

If the app supports the hybrid mode, and the SP has indicated it supports the hybrid mode by including an OP URL in a 401 response, and the user’s OpenID identifier resolves (via discovery) to the same OP, then the app can trigger the hybrid auth/authz action.

James Manger

More information about the specs mailing list