OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Breno de Medeiros breno at google.com
Wed Nov 19 06:08:06 UTC 2008


On Tue, Nov 18, 2008 at 10:04 PM, Breno de Medeiros <breno at google.com> wrote:
> On Tue, Nov 18, 2008 at 10:00 PM, Dirk Balfanz <balfanz at google.com> wrote:
>>
>>
>> On Tue, Nov 18, 2008 at 6:19 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>>>
>>> Dirk Balfanz wrote:
>>>>
>>>> Oh I see. Ok. I'l make a new revision of the spec where I add a required
>>>> parameter (the consumer key) to the auth request.
>>>>
>>> Cool, thanks!
>>>
>>>
>>>> What should the spec recommend the OP should do if the consumer key and
>>>> realm don't match? Return a cancel? Return something else?
>>>>
>>> I'd recommend an error consistent with Section 8.2.4 in the OpenID 2.0
>>> spec, with a new error_code value indicating that the either the CK or the
>>> realm was invalid. There may actually need to be 2 errors, one to indicate
>>> that the CK is invalid, and another to indicate that the CK is not valid for
>>> the realm.
>>>
>>> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>>
>> But Section 8.2 is about the association response. In the auth response, we
>> currently only have cancel or setup_needed. If we invent another error
>> condition there, we're no longer a pure "extension".
>
> The solution is to add an optional term in the openid.oauth response
> and return the appropriate error code from the OAuth error handling
> spec.

Actually, I meant a required term, to be present only in "unsuccessful
OAuth responses"

>
>>
>> Dirk.
>>>
>>> Allen
>>>
>>
>>
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)



More information about the specs mailing list