[OpenID] Verisign Announces Free OpenID Digital Lockbox
Allen Tom
atom at yahoo-inc.com
Mon Feb 23 02:29:29 UTC 2009
Martin Atkins wrote:
> We need a way to do hybrid when the OP and the SP are not the same
> party, and ideally we need it sooner rather than later.
This is pretty tricky, because the solution would probably imply that
the OP is able to generate OAuth credentials for the SP. Presumably both
the SP and the OP would need to agree on how to provision and verify
consumer keys (and consumer secrets) and somehow the user would need a
way to revoke an OAuth credential after it's been issued.
> It also seems to me that the OpenID part of the OpenID/OAuth hybrid is
> actually redundant in many scenarios. For example, if I'm connecting
> to a PortableContacts endpoint using OAuth, the PortableContacts
> "self" endpoint can in theory provide a superset of the information
> provided by the OpenID transaction.
Well then you'd need to send the identifier to the RP, and you'd also
need a way for the RP to determine if the OAuth Service Provider is
authoritative for that identifier. These problems have already been
solved by OpenID.
I don't think the non-hybrid UX is all that bad. We have that today with
Flickr in which Flickr is the SP, but Yahoo is the OP.
Allen
More information about the general
mailing list