[OpenID] Verisign Announces Free OpenID Digital Lockbox

Andrew Arnott andrewarnott at gmail.com
Tue Feb 24 04:13:22 UTC 2009 

Why must the OP issue the OAuth credential?  Why can't the OpenID+OAuth
request from the RP+Consumer be sent to the SP as a special message that
gets transformed and forwarded to the OP.  The OP performs authentication,
while displaying an iframe from the SP where the user can read the SP
controlled message about what is being authorized and check some box
(perhaps).  At auth completion, the user is redirected to the SP (or perhaps
directly to RP).  Then the RP gets the OAuth token from the SP in the
standard way.

I haven't thought this all through, but I like the very loose (or no) tie
between SP and OP, and the fact that I can change OPs freely without
invalidating my OAuth tokens.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Sun, Feb 22, 2009 at 6:44 PM, Martin Atkins <mart at degeneration.co.uk>wrote:

> Allen Tom wrote:
>
>> Martin Atkins wrote:
>>
>>> We need a way to do hybrid when the OP and the SP are not the same party,
>>> and ideally we need it sooner rather than later.
>>>
>> >
>
>> This is pretty tricky, because the solution would probably imply that the
>> OP is able to generate OAuth credentials for the SP. Presumably both the SP
>> and the OP would need to agree on how to provision and verify consumer keys
>> (and consumer secrets) and somehow the user would need a way to revoke an
>> OAuth credential after it's been issued.
>>
>
> Yes, the initial thought I had was essentially some mechanism whereby the
> SP grants the OP the right to be a proxy for OAuth transactions.
>
> So I would tell my OP that I have my contacts hosted on Google (for
> example) and it would talk to Google in some way to be determined in order
> to get permission to act as an authorization proxy for my contacts. I could
> later revoke this if I decide to change my OP, or change the setting at my
> OP if I decide to change my contacts provider, but neither is inextricably
> tied to the other.
>
> Of course, this is only an initial strawman and definitely needs both
> protocol and UX work to figure out what it would look like in practice.
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090223/37c78e04/attachment-0001.htm>

More information about the general mailing list