OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Martin Atkins mart at
Wed Nov 19 21:02:30 UTC 2008

There is definitely a benefit to not having to roll a new implementation 
of key authorization for each provider. I'm not saying that OAuth serves 
no purpose at all.

I'm just saying that requiring a business relationship to exist between 
every consumer and every service provider is not conducive to creating 
an open marketplace where anyone can be a consumer and anyone can be a 
provider as we see with OpenID, and it can't scale beyond a few providers.

So while code reuse is a good thing, I'd like to think we can achieve 
more than that.

Allen Tom wrote:
> Hi Martin,
> Not sure why you say that requiring pre-registration and having an open 
> stack are mutually exclusive. Are you saying that there's no benefit for 
> service providers to provide a standard interface to developers?
> Allen
> Martin Atkins wrote:
>> Allen Tom wrote:
>>> One  problem with this approach is that many SPs like Yahoo and 
>>> MySpace will require developers to register their site to get a 
>>> Consumer Key. Given that the developer already has to manually get a 
>>> CK, there might not that much value in defining a workflow for 
>>> Consumers to discover the OAuth endpoints.
>> As long as this is true it will be impossible for such SPs to expose 
>> non-proprietary protocols like PortableContacts, so either these SPs 
>> will need to find a way to work without pre-registration or we'll all 
>> have to accept that the open stack is impossible and go find something 
>> more productive to do.

More information about the specs mailing list