[Openid-specs-ab] Direct Request Authentication
Nat Sakimura
sakimura at gmail.com
Fri May 28 01:40:12 UTC 2010
Hi.
In Draft07, I might have overdone a little about the direct assertion
request authentication.
I wrote it as:
8.1.5. RP requests Assertion directly to the OP
To obtain the assertion through direct request, the RP MUST
authenticate against the OP. There are two ways of doing it, namely:
Through the use of client_secret
Through the use of asymmetric signature
It propbably shoud be SHOULD instead of MUST.
Like Yahoo!'s use case, provided the "code" has sufficient entropy and
short lived,
there are cases that you just want to submit the bearer token only to
get the result.
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
More information about the Openid-specs-ab
mailing list