[OpenID] Verisign Announces Free OpenID Digital Lockbox
Martin Atkins
mart at degeneration.co.uk
Mon Feb 23 02:44:55 UTC 2009
Allen Tom wrote:
> Martin Atkins wrote:
>> We need a way to do hybrid when the OP and the SP are not the same
>> party, and ideally we need it sooner rather than later.
>
> This is pretty tricky, because the solution would probably imply that
> the OP is able to generate OAuth credentials for the SP. Presumably both
> the SP and the OP would need to agree on how to provision and verify
> consumer keys (and consumer secrets) and somehow the user would need a
> way to revoke an OAuth credential after it's been issued.
Yes, the initial thought I had was essentially some mechanism whereby
the SP grants the OP the right to be a proxy for OAuth transactions.
So I would tell my OP that I have my contacts hosted on Google (for
example) and it would talk to Google in some way to be determined in
order to get permission to act as an authorization proxy for my
contacts. I could later revoke this if I decide to change my OP, or
change the setting at my OP if I decide to change my contacts provider,
but neither is inextricably tied to the other.
Of course, this is only an initial strawman and definitely needs both
protocol and UX work to figure out what it would look like in practice.
More information about the general
mailing list