<div>Hi Shade,</div>
<div> </div>
<div>The 'hybrid' term used here is of an OpenID authentication protocol with an OAuth extension that allows the user to be authenticated to an OP while also asking the OP, doubling as an SP, for permission to access the user's data. It was demoed between Plaxo and Gmail with huge success and it's a great user experience... assuming you want Gmail to be your OP, and assuming the data the RP wants to access is hosted by Google.</div>
<div> </div>
<div>You're right, the OP and SP are not the same party given the specifications as they stand today. But the hybrid specification (in draft, and I haven't read it) seems to have only been applied to scenarios where the SP and OP are the same party.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br><br><br></div>
<div class="gmail_quote">On Sat, Feb 21, 2009 at 3:34 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div class="Ih2E3d">
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">We need a way to do hybrid when the OP and the SP are not the same party, and ideally we need it sooner rather than later.<br>
</blockquote><br></div>I've just done a lot of reading about OAuth, and I have a better understanding now of what it is, but I still don't understand what you mean by "do hybrid". I see that "SP" means "site that has my data" (not necessarily the site that's authenticating me to the RP), but I'm hesitant to assume a particular meaning of "hybrid". Can you elaborate here?
<div class="Ih2E3d"><br><br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">The OpenID/OAuth hybrid is a nice UX fix in the short term, but it is not good if I'm forced to use a single provider for everything from authentication to address books to calendars to whatever else we make work with OAuth in future.<br>
</blockquote><br></div>Also, how is the hybrid setup forcing users to have a single provider? (And are we speaking of OpenID Providers, Service Providers, or the hybrid Providers?)<br><br>-Shade
<div>
<div></div>
<div class="Wj3C7c"><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>