OpenID/OAuth hybrid - discovery
Martin Atkins
mart at degeneration.co.uk
Tue Nov 25 07:26:37 UTC 2008
Dirk Balfanz wrote:
>
> We're defining an OpenID extension. Consumer will want to know whether
> or not a given endpoint speaks that extension. That's all it's doing -
> just like AX or PAPE have a section on discoverability. It also gives
> consumers a way to look for the combined OpenID/OAuth endpoint (assuming
> that one day we'll have these massive XRD documents advertising all
> sorts of things - OAuth request token endpoints, portable contact
> endpoints, etc.).
>
I guess I'm assuming that the OAuth service saying "use that OpenID
provider for hybrid OpenID/OAuth" implies that the OpenID Provider
supports the extension.
However, I guess the following flow could arise:
* User does something that requires OAuth.
* Consumer does OAuth Discovery (to be defined) and determines,
amongst other things, the URL of the OpenID Provider that will do the
combined OpenID/OAuth bit.
* Consumer does discovery on the OpenID Provider and determines that
it doesn't actually support the extension.
* Consumer falls back on the non-combined flow, or just tells the user
that the service provider is broken.
While it's nice to fail early in this case, the consumer still needs to
deal with a bunch of post-authorization failure cases:
* Provider claimed to support the extension but didn't actually return
anything.
* Provider claimed to support the extension but the approved request
token doesn't actually work for some reason.
* Provider claimed to support the extension but it turns out it
doesn't support this particular sort of request token.
* ...
In most cases, the implication from the OAuth discovery step will be
enough and everything will work out. I'm not sure whether failing early
in this one (unlikely) error case is worth the extra HTTP transaction(s)
to find out whether the provider really supports the extension. It'd be
more efficient to just send a request to the OpenID provider with the
extension arguments and see if you get back a response.
More information about the specs
mailing list