OpenID/OAuth hybrid - discovery

Martin Atkins mart at
Tue Nov 25 06:06:49 UTC 2008

Dirk Balfanz wrote:
> I'm not sure I understand what the commotion is about :-)
> OAuth discovery (when it is done), will answer the question: given the 
> URL of a resource, where do I go to get access tokens for that resource. 
> The question answered by the XRD element described in Section 5 is "does 
> this OpenID endpoint support the Hybrid protocol". These two questions 
> are somewhat related, but clearly different. And, yes, the latter is not 
> nearly as exciting as the former.

What is a consumer intended to do with this information?

Telling me that the OpenID provider also supports the OAuth hybrid 
protocol is not useful alone. It's not like I can just take any OAuth 
token in the world and feed it to this endpoint.

More useful, I think, would be to have the OAuth discovery information 
*at the service endpoint* say that "the OAuth authorization URL for this 
service is <some-url>, and the combined OpenID/OAuth endpoint for this 
service is <some-other-url>". The first part of this will presumably be 
catered for by OAuth discovery. The second part seems like it ought to 
be an extension to OAuth discovery, though I don't have a good answer 
for what exactly it'd look like on the wire.

As currently speced, I'm not sure what problem that section is 
addressing or what value it provides. Perhaps for now it'd be better to 
take that part out of the Hybrid Protocol specification and defer that 
problem until it's clearer how OAuth discovery will work in general.

More information about the specs mailing list