OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at yahoo-inc.com
Wed Nov 19 02:58:12 UTC 2008


Dirk Balfanz wrote:
> Ok, new spec is up: 
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html
>
>
>

Hi Dirk,

It doesn't look like the hybrid spec changes the OpenID association 
mechanism, so you should not mention the association mechanism in the 
last sentence of Section 3.

Under Security Considerations in Section 11, it would probably be good 
to mention that anyone knowing the CK can force the SP to display the 
hybrid approval page, while standard OAuth requires both the CK and the 
CSecret  to display a vanilla OAuth approval page.

Thanks
Allen





More information about the specs mailing list