OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Allen Tom
atom at yahoo-inc.com
Wed Nov 19 02:26:48 UTC 2008
Manger, James H wrote:
> Ideally, an app would attempt to access a protected resource at an SP and get:
> * A 401 Unauthenticated response from the SP; with
> * A “WWW-Authenticate: OAuth” header; with
> * A parameter providing the authorization URL; and
> * Another parameter with the OP URL (when OpenID/OAuth hybrid was supported).
>
One problem with this approach is that many SPs like Yahoo and MySpace
will require developers to register their site to get a Consumer Key.
Given that the developer already has to manually get a CK, there might
not that much value in defining a workflow for Consumers to discover the
OAuth endpoints.
Allen
More information about the specs
mailing list