OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Martin Atkins
mart at degeneration.co.uk
Wed Nov 19 03:45:09 UTC 2008
Allen Tom wrote:
> Manger, James H wrote:
>> Ideally, an app would attempt to access a protected resource at an SP and get:
>> * A 401 Unauthenticated response from the SP; with
>> * A “WWW-Authenticate: OAuth” header; with
>> * A parameter providing the authorization URL; and
>> * Another parameter with the OP URL (when OpenID/OAuth hybrid was supported).
>>
>
> One problem with this approach is that many SPs like Yahoo and MySpace
> will require developers to register their site to get a Consumer Key.
> Given that the developer already has to manually get a CK, there might
> not that much value in defining a workflow for Consumers to discover the
> OAuth endpoints.
>
As long as this is true it will be impossible for such SPs to expose
non-proprietary protocols like PortableContacts, so either these SPs
will need to find a way to work without pre-registration or we'll all
have to accept that the open stack is impossible and go find something
more productive to do.
More information about the specs
mailing list