OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

Dirk Balfanz balfanz at google.com
Wed Nov 19 22:52:21 UTC 2008


On Wed, Nov 19, 2008 at 2:31 PM, Allen Tom <atom at yahoo-inc.com> wrote:

>  Since the new hybrid draft spec doesn't affect the OpenID association
> method, this is moot.
>
> However, the spec should mention what SPs should do if the CK is invalid
> (or doesn't match the realm) in the OpenID authentication request.
> Presumably, the SP should continue servicing the OpenID portion of the
> request, however, the response should indicate why the OAuth portion of the
> request failed.
>

How about, to mimic what happens with association handles, we can return in
the response an openid.oauth.invalid_consumer parameter instead of
openid.oauth.consumer? It would mean that either the CK was just wrong or
that it didn't match the realm. Although at this point it starts to get
pretty complicated.

Does this error condition really need to be communicated back to the RP? For
development etc., it might be enough to just show an error page to the user
explaining what happened.

Dirk.



>
> Allen
>
>
> Dirk Balfanz wrote:
>
>
>
>>>  I'd recommend an error consistent with Section 8.2.4 in the OpenID 2.0
>> spec, with a new error_code value indicating that the either the CK or the
>> realm was invalid. There may actually need to be 2 errors, one to indicate
>> that the CK is invalid, and another to indicate that the CK is not valid for
>> the realm.
>>
>> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>>
>
>  But Section 8.2 is about the association response. In the auth response,
> we currently only have cancel or setup_needed. If we invent another error
> condition there, we're no longer a pure "extension".
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20081119/172bfbde/attachment-0002.htm>


More information about the specs mailing list