OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at
Wed Nov 19 02:58:12 UTC 2008

Dirk Balfanz wrote:
> Ok, new spec is up: 

Hi Dirk,

It doesn't look like the hybrid spec changes the OpenID association 
mechanism, so you should not mention the association mechanism in the 
last sentence of Section 3.

Under Security Considerations in Section 11, it would probably be good 
to mention that anyone knowing the CK can force the SP to display the 
hybrid approval page, while standard OAuth requires both the CK and the 
CSecret  to display a vanilla OAuth approval page.


More information about the specs mailing list