OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Breno de Medeiros
breno at google.com
Wed Nov 19 02:29:55 UTC 2008
On Tue, Nov 18, 2008 at 6:26 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Manger, James H wrote:
>> Ideally, an app would attempt to access a protected resource at an SP and get:
>> * A 401 Unauthenticated response from the SP; with
>> * A "WWW-Authenticate: OAuth" header; with
>> * A parameter providing the authorization URL; and
>> * Another parameter with the OP URL (when OpenID/OAuth hybrid was supported).
> One problem with this approach is that many SPs like Yahoo and MySpace
> will require developers to register their site to get a Consumer Key.
> Given that the developer already has to manually get a CK, there might
> not that much value in defining a workflow for Consumers to discover the
> OAuth endpoints.
I believe this technical problem will be solved anyway by the
integrated OpenID/OAuth discovery mechanism via XRD (currently under
discussion). As Allen remarks, though, its value will be limited while
manual registration is required by most service providers.
> specs mailing list
> specs at openid.net
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the specs