OpenID/OAuth hybrid - discovery

Martin Atkins mart at
Tue Nov 25 07:26:37 UTC 2008

Dirk Balfanz wrote:
> We're defining an OpenID extension. Consumer will want to know whether 
> or not a given endpoint speaks that extension. That's all it's doing - 
> just like AX or PAPE have a section on discoverability. It also gives 
> consumers a way to look for the combined OpenID/OAuth endpoint (assuming 
> that one day we'll have these massive XRD documents advertising all 
> sorts of things - OAuth request token endpoints, portable contact 
> endpoints, etc.).

I guess I'm assuming that the OAuth service saying "use that OpenID 
provider for hybrid OpenID/OAuth" implies that the OpenID Provider 
supports the extension.

However, I guess the following flow could arise:
  * User does something that requires OAuth.
  * Consumer does OAuth Discovery (to be defined) and determines, 
amongst other things, the URL of the OpenID Provider that will do the 
combined OpenID/OAuth bit.
  * Consumer does discovery on the OpenID Provider and determines that 
it doesn't actually support the extension.
  * Consumer falls back on the non-combined flow, or just tells the user 
that the service provider is broken.

While it's nice to fail early in this case, the consumer still needs to 
deal with a bunch of post-authorization failure cases:
  * Provider claimed to support the extension but didn't actually return 
  * Provider claimed to support the extension but the approved request 
token doesn't actually work for some reason.
  * Provider claimed to support the extension but it turns out it 
doesn't support this particular sort of request token.
  * ...

In most cases, the implication from the OAuth discovery step will be 
enough and everything will work out. I'm not sure whether failing early 
in this one (unlikely) error case is worth the extra HTTP transaction(s) 
to find out whether the provider really supports the extension. It'd be 
more efficient to just send a request to the OpenID provider with the 
extension arguments and see if you get back a response.

More information about the specs mailing list