<div>Why must the OP issue the OAuth credential? Why can't the OpenID+OAuth request from the RP+Consumer be sent to the SP as a special message that gets transformed and forwarded to the OP. The OP performs authentication, while displaying an iframe from the SP where the user can read the SP controlled message about what is being authorized and check some box (perhaps). At auth completion, the user is redirected to the SP (or perhaps directly to RP). Then the RP gets the OAuth token from the SP in the standard way.</div>
<div> </div>
<div>I haven't thought this all through, but I like the very loose (or no) tie between SP and OP, and the fact that I can change OPs freely without invalidating my OAuth tokens.<br clear="all">--<br>Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br><br><br></div>
<div class="gmail_quote">On Sun, Feb 22, 2009 at 6:44 PM, Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div class="Ih2E3d">Allen Tom wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Martin Atkins wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">We need a way to do hybrid when the OP and the SP are not the same party, and ideally we need it sooner rather than later.<br>
</blockquote></blockquote>><br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">This is pretty tricky, because the solution would probably imply that the OP is able to generate OAuth credentials for the SP. Presumably both the SP and the OP would need to agree on how to provision and verify consumer keys (and consumer secrets) and somehow the user would need a way to revoke an OAuth credential after it's been issued.<br>
</blockquote><br></div>Yes, the initial thought I had was essentially some mechanism whereby the SP grants the OP the right to be a proxy for OAuth transactions.<br><br>So I would tell my OP that I have my contacts hosted on Google (for example) and it would talk to Google in some way to be determined in order to get permission to act as an authorization proxy for my contacts. I could later revoke this if I decide to change my OP, or change the setting at my OP if I decide to change my contacts provider, but neither is inextricably tied to the other.<br>
<br>Of course, this is only an initial strawman and definitely needs both protocol and UX work to figure out what it would look like in practice.
<div>
<div></div>
<div class="Wj3C7c"><br><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>