OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
Allen Tom
atom at yahoo-inc.com
Wed Nov 19 22:31:57 UTC 2008
Since the new hybrid draft spec doesn't affect the OpenID association
method, this is moot.
However, the spec should mention what SPs should do if the CK is invalid
(or doesn't match the realm) in the OpenID authentication request.
Presumably, the SP should continue servicing the OpenID portion of the
request, however, the response should indicate why the OAuth portion of
the request failed.
Allen
Dirk Balfanz wrote:
>
>
> I'd recommend an error consistent with Section 8.2.4 in the OpenID
> 2.0 spec, with a new error_code value indicating that the either
> the CK or the realm was invalid. There may actually need to be 2
> errors, one to indicate that the CK is invalid, and another to
> indicate that the CK is not valid for the realm.
>
> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>
>
> But Section 8.2 is about the association response. In the auth
> response, we currently only have cancel or setup_needed. If we invent
> another error condition there, we're no longer a pure "extension".
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20081119/00b5d18b/attachment-0002.htm>
More information about the specs
mailing list