OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Martin Atkins mart at
Wed Nov 19 03:57:46 UTC 2008

Breno de Medeiros wrote:
> At this point, there is no reasonably secure formulation of OAuth
> without key registration.
> We hope to add one for the hybrid protocol.

If that is true then OAuth is broken. Wouldn't it be better to fix this 
problem in OAuth itself rather than only in the hybrid protocol?

Mobile and desktop apps need to be able to use OAuth as well, and since 
consumer secrets are impractical for such apps there has to be a way to 
use OAuth without consumer secrets in order to support them. The hybrid 
protocol is not appropriate for desktop/mobile apps, so fixing it at 
this level does not address the problem.


More information about the specs mailing list