OpenID/OAuth hybrid - without app pre-registration

Breno de Medeiros breno at
Wed Nov 26 17:16:05 UTC 2008

I will answer this question with two possibilities:

1. Auto-registration. We have done some research at Google to allow
auto-registration of consumer keys (as a possible OAuth extension).
This did not make into the first version of our proposal for OAuth for
unregistered consumers, but we may want to revisit this with the broad
OpenID/OAuth community at some point. Our initial results in that area
did influence our thinking that we could drop the request token
request in the hybrid (which would introduce severe inefficiencies in
the hybrid).

2. Yes, the case you are providing could be compelling in the absence
of an auto-registration mechanism. However, we are really delaying the
unregistered consumer issue because until such time as there is a
hybrid protocol at all, and a stable mechanism for OAuth discovery,
the benefit is minimal of tackling unregistered consumers.

We believe (by having played with these ideas for a while now) that
the current proposal for hybrid will accommodate unregistered
consumers eventually, but that additional pieces to provide better
security and usability will be necessary to make it work in that case.

On Tue, Nov 25, 2008 at 11:22 PM, Martin Atkins <mart at> wrote:
> Breno de Medeiros wrote:
>> The consumer key is an independent issue of pre-registration. Say a
>> site hosts multiple apps. The realm indicates the site, the consumer
>> key indicates the app. The presence of the consumer key (even in a
>> scenario without pre-registration requirements) is useful to indicate
>> to the user information about the request.
>> This turns out to be particularly important in the un-registered case,
>> where the consumer could provide a descriptive key. In the case of
>> registered consumers, this will probably not be used to describe the
>> request in a user-visible way, but is useful for other purposes.
>> Making it optional actually hurts interoperability. The idea is that
>> it can be a self-reported value in the case of unregistered consumers.
> Can you give a concrete example of what you're arguing for?
> Are you imagining...
> oauth.consumer_key=Martin's Amazing Social Applicatioon
> or did you have something else in mind?
> _______________________________________________
> specs mailing list
> specs at


+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list