OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
balfanz at google.com
Wed Nov 19 06:23:55 UTC 2008
On Tue, Nov 18, 2008 at 6:58 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Dirk Balfanz wrote:
>> Ok, new spec is up:
> Hi Dirk,
> It doesn't look like the hybrid spec changes the OpenID association
> mechanism, so you should not mention the association mechanism in the last
> sentence of Section 3.
Good catch. I took out the whole sentence.
> Under Security Considerations in Section 11, it would probably be good to
> mention that anyone knowing the CK can force the SP to display the hybrid
> approval page, while standard OAuth requires both the CK and the CSecret to
> display a vanilla OAuth approval page.
Good idea. I added a paragraph in Section 11 explaining this.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the specs