OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
mart at degeneration.co.uk
Wed Nov 19 03:57:46 UTC 2008
Breno de Medeiros wrote:
> At this point, there is no reasonably secure formulation of OAuth
> without key registration.
> We hope to add one for the hybrid protocol.
If that is true then OAuth is broken. Wouldn't it be better to fix this
problem in OAuth itself rather than only in the hybrid protocol?
Mobile and desktop apps need to be able to use OAuth as well, and since
consumer secrets are impractical for such apps there has to be a way to
use OAuth without consumer secrets in order to support them. The hybrid
protocol is not appropriate for desktop/mobile apps, so fixing it at
this level does not address the problem.
More information about the specs