OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Allen Tom atom at
Wed Nov 19 22:31:57 UTC 2008

Since the new hybrid draft spec doesn't affect the OpenID association 
method, this is moot.

However, the spec should mention what SPs should do if the CK is invalid 
(or doesn't match the realm) in the OpenID authentication request. 
Presumably, the SP should continue servicing the OpenID portion of the 
request, however, the response should indicate why the OAuth portion of 
the request failed.


Dirk Balfanz wrote:
>     I'd recommend an error consistent with Section 8.2.4 in the OpenID
>     2.0 spec, with a new error_code value indicating that the either
>     the CK or the realm was invalid. There may actually need to be 2
>     errors, one to indicate that the CK is invalid, and another to
>     indicate that the CK is not valid for the realm.
> But Section 8.2 is about the association response. In the auth 
> response, we currently only have cancel or setup_needed. If we invent 
> another error condition there, we're no longer a pure "extension". 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the specs mailing list