OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]
atom at yahoo-inc.com
Sat Nov 22 00:04:06 UTC 2008
How about if the openid.oauth.scope response parameter defined in
Section 9 be changed to be a more generic OAuth status indicator? It can
be used to indicate which scopes were authorized in the success case, or
it can be used as status/problem indicator if there was an error.
Perhaps the allowed values can be the same as the values defined in the
Dirk Balfanz wrote:
> On Wed, Nov 19, 2008 at 2:31 PM, Allen Tom <atom at yahoo-inc.com
> <mailto:atom at yahoo-inc.com>> wrote:
> Since the new hybrid draft spec doesn't affect the OpenID
> association method, this is moot.
> However, the spec should mention what SPs should do if the CK is
> invalid (or doesn't match the realm) in the OpenID authentication
> request. Presumably, the SP should continue servicing the OpenID
> portion of the request, however, the response should indicate why
> the OAuth portion of the request failed.
> How about, to mimic what happens with association handles, we can
> return in the response an openid.oauth.invalid_consumer parameter
> instead of openid.oauth.consumer? It would mean that either the CK was
> just wrong or that it didn't match the realm. Although at this point
> it starts to get pretty complicated.
> Does this error condition really need to be communicated back to the
> RP? For development etc., it might be enough to just show an error
> page to the user explaining what happened.
> Dirk Balfanz wrote:
>> I'd recommend an error consistent with Section 8.2.4 in the
>> OpenID 2.0 spec, with a new error_code value indicating that
>> the either the CK or the realm was invalid. There may
>> actually need to be 2 errors, one to indicate that the CK is
>> invalid, and another to indicate that the CK is not valid for
>> the realm.
>> But Section 8.2 is about the association response. In the auth
>> response, we currently only have cancel or setup_needed. If we
>> invent another error condition there, we're no longer a pure
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the specs