OpenID/OAuth hybrid - discovery

Manger, James H James.H.Manger at
Tue Nov 25 02:48:28 UTC 2008

>> Learning just that an OP supports the hybrid protocol
>> (without any indication of the associated protected resources)
>> seems to be of minimal value.

> Yes. However, when OAuth discovery happens (and the standardization
> effort is under way) it will much more than minimal value.
> Standardizing OAuth discovery is not in scope for this spec, but
> standardizing hybrid support indication is.

A future "OAuth discovery" could say:
 "This SP supports the hybrid protocol with this OP http://..."
In this case section "5 Discovery" in the hybrid spec adds no value because the app already knows about the support.

Or a future "OAuth discovery" might not mention OpenID.
In this case section "5 Discovery" in the hybrid spec barely helps as there are no links between OP and SP.

>> James Manger
>> James.H.Manger at
>> Identity and security team — Chief Technology Office — Telstra

More information about the specs mailing list