OpenID/OAuth hybrid - discovery

Dirk Balfanz balfanz at
Tue Nov 25 05:06:32 UTC 2008

I'm not sure I understand what the commotion is about :-)
OAuth discovery (when it is done), will answer the question: given the URL
of a resource, where do I go to get access tokens for that resource. The
question answered by the XRD element described in Section 5 is "does this
OpenID endpoint support the Hybrid protocol". These two questions are
somewhat related, but clearly different. And, yes, the latter is not nearly
as exciting as the former.


On Mon, Nov 24, 2008 at 6:48 PM, Manger, James H <
James.H.Manger at> wrote:

> >> Learning just that an OP supports the hybrid protocol
> >> (without any indication of the associated protected resources)
> >> seems to be of minimal value.
> > Yes. However, when OAuth discovery happens (and the standardization
> > effort is under way) it will much more than minimal value.
> > Standardizing OAuth discovery is not in scope for this spec, but
> > standardizing hybrid support indication is.
> A future "OAuth discovery" could say:
>  "This SP supports the hybrid protocol with this OP http://..."
> In this case section "5 Discovery" in the hybrid spec adds no value because
> the app already knows about the support.
> Or a future "OAuth discovery" might not mention OpenID.
> In this case section "5 Discovery" in the hybrid spec barely helps as there
> are no links between OP and SP.
> >> James Manger
> >> James.H.Manger at
> >> Identity and security team — Chief Technology Office — Telstra
> _______________________________________________
> specs mailing list
> specs at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the specs mailing list