Thanks for trying to explain it Nate. Actually what I was wondering is why OAuth must be part of the request at all. There's been talk on this thread of bringing OAuth into it so that a signed message from the RP can be sent to the OP. First of all, using OAuth just for its signing seems like a misuse. The OpenID+OAuth extension that you described doesn't sign the request at all. And finally, it escapes me why the request needs to be signed at all. If an attacker were to form a request to look like it came from a legitimate company, then the assertion would go to that legitimate company (assuming RP discovery and return_to matching was successful) and the attacker would have gained nothing. <br>
<br>So why must OAuth be part of login just so that logos from the RP can show up at the OP?<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Thu, May 14, 2009 at 10:46 PM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style="">On rereading this, you might have meant that the OAuth registration of the RP with the OP would be completely automated and promiscuous. In that case, I'd totally agree with you. But it's a "woah -- dude" moment for me because it's so counter to our deployment paradigm.<div>
<br></div><div>Hope there was no confusion,</div><div>Nate.<div class="im"><br><div><br><div><div>On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:</div><br><blockquote type="cite"><span style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><blockquote type="cite">
<span style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Why would OAuth be necessary? If an RP registered with an OP and submitted their logos/text/etc, then any auth request coming in with the registered realm could display those pictures. There is a danger that<span> </span><a href="http://hacker.com" target="_blank">hacker.com</a><span> </span>might register and upload the Wells Fargo logo, but OAuth won't prevent that. <span> </span></span></blockquote>
<div><br></div><div>Previously negotiated consumer keys, e.g. whitelisting. It would prevent any transaction from occurring. Unless I'm horribly misreading something, step 7 is registration, stating:</div><div><br>
</div>
<div><span style="font-family: verdana; font-size: 13px;">The Combined Consumer and the Combined Provider agree on a consumer key and consumer secret (see <a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth" style="font-weight: bold; text-decoration: none; color: rgb(153, 0, 0); background-color: transparent;" target="_blank">[OAuth]</a>).</span></div>
<div><br></div><div><a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html" target="_blank">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a></div>
</span></blockquote></div><br></div></div></div></div></blockquote></div><br>