OpenID/OAuth hybrid - discovery

Breno de Medeiros breno at
Tue Nov 25 01:44:59 UTC 2008

On Mon, Nov 24, 2008 at 5:34 PM, Manger, James H
<James.H.Manger at> wrote:
> Section 5 Discovery of the OpenID/OAuth hybrid draft spec says
>  <xrd:Type></xrd:Type>
> should appear in the XRDS discovery document to indicate support for the protocol.
> This doesn't seem to be the right way around.
> Discovery is performed on a user's OpenID identifier. It does not make sense for a user to indicate if an OP supports the hybrid protocol.
> Additionally, support cannot be indicated by users who use an HTML page for their OpenID identifier (with an <link rel="openid2.provider" href="..."/> element).
> An OP could indicate that it supports the hybrid protocol in its own XRDS file, assuming all users use directed identity and they all use the same OP XRDS file. I hope we don't have to hardwire these assumptions into the hybrid spec.

The fact that the OP indicates support for hybrid has nothing to do
with directed identity, of whether or not they use the same XRDS file.

> Even in this case, however, indicating hybrid support at the OP is not of much use if the RP/consumer cannot tell which protected resources are covered.
> For example, adding the hybrid indicator to the Yahoo OP XRDS file <> does not tell an app if it can use the hybrid protocol to access:
> * Yahoo email address book (probably);
> * Flickr photos (maybe?, it is owned by Yahoo);
> * Microsoft hotmail (perhaps not currently, but a Yahoo/Microsoft merger was discussed earlier this year);
> * Picassa photos (presumably not, as it is owned by Google).

This is out of scope for this spec, because OAuth discovery is under

> Discovery could work if the metadata for the OAuth Service Provider indicated it supports the hybrid protocol with a specific OP.
> [My preferred way to indicate this would be: a request to a protected resource receiving a "401 Unauthenticated" response with a "WWW-Authenticate" HTTP header that included the URL of the OP. If that OP URL matches the OP found from OpenID discovery on the user's OpenID identifier then the app can use the hybrid protocol.]
> James Manger
> James.H.Manger at
> Identity and security team — Chief Technology Office — Telstra
> _______________________________________________
> specs mailing list
> specs at


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list