OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Allen Tom
atom at yahoo-inc.com
Wed Nov 19 02:58:12 UTC 2008
Dirk Balfanz wrote:
> Ok, new spec is up:
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html
>
>
>
Hi Dirk,
It doesn't look like the hybrid spec changes the OpenID association
mechanism, so you should not mention the association mechanism in the
last sentence of Section 3.
Under Security Considerations in Section 11, it would probably be good
to mention that anyone knowing the CK can force the SP to display the
hybrid approval page, while standard OAuth requires both the CK and the
CSecret to display a vanilla OAuth approval page.
Thanks
Allen
More information about the specs
mailing list