OpenID/OAuth hybrid - discovery

Manger, James H James.H.Manger at
Tue Nov 25 01:34:08 UTC 2008

Section 5 Discovery of the OpenID/OAuth hybrid draft spec says
should appear in the XRDS discovery document to indicate support for the protocol.

This doesn't seem to be the right way around.

Discovery is performed on a user's OpenID identifier. It does not make sense for a user to indicate if an OP supports the hybrid protocol.
Additionally, support cannot be indicated by users who use an HTML page for their OpenID identifier (with an <link rel="openid2.provider" href="..."/> element).

An OP could indicate that it supports the hybrid protocol in its own XRDS file, assuming all users use directed identity and they all use the same OP XRDS file. I hope we don't have to hardwire these assumptions into the hybrid spec.
Even in this case, however, indicating hybrid support at the OP is not of much use if the RP/consumer cannot tell which protected resources are covered.

For example, adding the hybrid indicator to the Yahoo OP XRDS file <> does not tell an app if it can use the hybrid protocol to access:
* Yahoo email address book (probably);
* Flickr photos (maybe?, it is owned by Yahoo);
* Microsoft hotmail (perhaps not currently, but a Yahoo/Microsoft merger was discussed earlier this year);
* Picassa photos (presumably not, as it is owned by Google).

Discovery could work if the metadata for the OAuth Service Provider indicated it supports the hybrid protocol with a specific OP.

[My preferred way to indicate this would be: a request to a protected resource receiving a "401 Unauthenticated" response with a "WWW-Authenticate" HTTP header that included the URL of the OP. If that OP URL matches the OP found from OpenID discovery on the user's OpenID identifier then the app can use the hybrid protocol.]

James Manger
James.H.Manger at
Identity and security team — Chief Technology Office — Telstra

More information about the specs mailing list