OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Dirk Balfanz
balfanz at google.com
Wed Nov 19 06:00:59 UTC 2008
On Tue, Nov 18, 2008 at 6:19 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Dirk Balfanz wrote:
>
>>
>> Oh I see. Ok. I'l make a new revision of the spec where I add a required
>> parameter (the consumer key) to the auth request.
>>
>> Cool, thanks!
>
>
> What should the spec recommend the OP should do if the consumer key and
>> realm don't match? Return a cancel? Return something else?
>>
>> I'd recommend an error consistent with Section 8.2.4 in the OpenID 2.0
> spec, with a new error_code value indicating that the either the CK or the
> realm was invalid. There may actually need to be 2 errors, one to indicate
> that the CK is invalid, and another to indicate that the CK is not valid for
> the realm.
>
> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>
But Section 8.2 is about the association response. In the auth response, we
currently only have cancel or setup_needed. If we invent another error
condition there, we're no longer a pure "extension".
Dirk.
> Allen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20081118/5da2a960/attachment-0002.htm>
More information about the specs
mailing list