OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz balfanz at google.com
Wed Nov 19 06:23:55 UTC 2008


On Tue, Nov 18, 2008 at 6:58 PM, Allen Tom <atom at yahoo-inc.com> wrote:

> Dirk Balfanz wrote:
>
>> Ok, new spec is up:
>> http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html
>>
>>
>>
>>
> Hi Dirk,
>
> It doesn't look like the hybrid spec changes the OpenID association
> mechanism, so you should not mention the association mechanism in the last
> sentence of Section 3.
>

Good catch. I took out the whole sentence.


>
> Under Security Considerations in Section 11, it would probably be good to
> mention that anyone knowing the CK can force the SP to display the hybrid
> approval page, while standard OAuth requires both the CK and the CSecret  to
> display a vanilla OAuth approval page.
>

Good idea. I added a paragraph in Section 11 explaining this.

Dirk.


> Thanks
> Allen
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20081118/b97a680e/attachment-0002.htm>


More information about the specs mailing list