OpenID/OAuth hybrid - discovery
mart at degeneration.co.uk
Tue Nov 25 06:06:49 UTC 2008
Dirk Balfanz wrote:
> I'm not sure I understand what the commotion is about :-)
> OAuth discovery (when it is done), will answer the question: given the
> URL of a resource, where do I go to get access tokens for that resource.
> The question answered by the XRD element described in Section 5 is "does
> this OpenID endpoint support the Hybrid protocol". These two questions
> are somewhat related, but clearly different. And, yes, the latter is not
> nearly as exciting as the former.
What is a consumer intended to do with this information?
Telling me that the OpenID provider also supports the OAuth hybrid
protocol is not useful alone. It's not like I can just take any OAuth
token in the world and feed it to this endpoint.
More useful, I think, would be to have the OAuth discovery information
*at the service endpoint* say that "the OAuth authorization URL for this
service is <some-url>, and the combined OpenID/OAuth endpoint for this
service is <some-other-url>". The first part of this will presumably be
catered for by OAuth discovery. The second part seems like it ought to
be an extension to OAuth discovery, though I don't have a good answer
for what exactly it'd look like on the wire.
As currently speced, I'm not sure what problem that section is
addressing or what value it provides. Perhaps for now it'd be better to
take that part out of the Hybrid Protocol specification and defer that
problem until it's clearer how OAuth discovery will work in general.
More information about the specs