OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Breno de Medeiros breno at
Wed Nov 19 04:06:24 UTC 2008

On Tue, Nov 18, 2008 at 7:57 PM, Martin Atkins <mart at> wrote:
> Breno de Medeiros wrote:
>> At this point, there is no reasonably secure formulation of OAuth
>> without key registration.
>> We hope to add one for the hybrid protocol.
> If that is true then OAuth is broken. Wouldn't it be better to fix this
> problem in OAuth itself rather than only in the hybrid protocol?

Addressing it at the level of the OAuth spec may be useful also, but
it is not really desirable to have the request token step in the
hybrid protocol for performance reasons. And any such "fix" for OAuth
that will work also for desktop apps will probably involve the request
token step (in fact it is not too hard to envision some strategies
along those lines).

> Mobile and desktop apps need to be able to use OAuth as well, and since
> consumer secrets are impractical for such apps there has to be a way to use
> OAuth without consumer secrets in order to support them. The hybrid protocol
> is not appropriate for desktop/mobile apps, so fixing it at this level does
> not address the problem.
> Cheers,
> Martin


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list