OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Breno de Medeiros
breno at google.com
Wed Nov 19 03:48:26 UTC 2008
On Tue, Nov 18, 2008 at 7:45 PM, Martin Atkins <mart at degeneration.co.uk> wrote:
> Allen Tom wrote:
>> Manger, James H wrote:
>>> Ideally, an app would attempt to access a protected resource at an SP and get:
>>> * A 401 Unauthenticated response from the SP; with
>>> * A "WWW-Authenticate: OAuth" header; with
>>> * A parameter providing the authorization URL; and
>>> * Another parameter with the OP URL (when OpenID/OAuth hybrid was supported).
>>>
>>
>> One problem with this approach is that many SPs like Yahoo and MySpace
>> will require developers to register their site to get a Consumer Key.
>> Given that the developer already has to manually get a CK, there might
>> not that much value in defining a workflow for Consumers to discover the
>> OAuth endpoints.
>>
>
> As long as this is true it will be impossible for such SPs to expose
> non-proprietary protocols like PortableContacts, so either these SPs
> will need to find a way to work without pre-registration or we'll all
> have to accept that the open stack is impossible and go find something
> more productive to do.
At this point, there is no reasonably secure formulation of OAuth
without key registration.
We hope to add one for the hybrid protocol.
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the specs
mailing list