OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at yahoo-inc.com
Wed Nov 19 02:19:07 UTC 2008


Dirk Balfanz wrote:
>
> Oh I see. Ok. I'l make a new revision of the spec where I add a 
> required parameter (the consumer key) to the auth request.
>
Cool, thanks!


> What should the spec recommend the OP should do if the consumer key 
> and realm don't match? Return a cancel? Return something else?
>
I'd recommend an error consistent with Section 8.2.4 in the OpenID 2.0 
spec, with a new error_code value indicating that the either the CK or 
the realm was invalid. There may actually need to be 2 errors, one to 
indicate that the CK is invalid, and another to indicate that the CK is 
not valid for the realm.

http://openid.net/specs/openid-authentication-2_0.html#anchor20

Allen




More information about the specs mailing list