[Openid-specs-ab] Fwd: [OAUTH-WG] 'immediate' without identity
sakimura at gmail.com
Tue May 25 10:51:13 UTC 2010
This is kind of interesting that it exactly is the opposit behavior
than what OpenID currently does.
Why is it so?
It probably is because in OpenID, the data always travels as Identity
assertion, while in OAuth, the data is decoupled from the user. (It
actually is why OAuth hybrid were not affected by the bug of OAuth 1.0)
Would you think this would impact the ab spec? IMHO it dies not.
=nat @ Mountain View via iPhone
Begin forwarded message:
> 差出人: Dick Hardt <dick.hardt at gmail.com>
> 日時: 2010年5月25日 03:18:04JST
> 宛先: Eran Hammer-Lahav <eran at hueniverse.com>
> Cc: "OAuth WG \(oauth at ietf.org\)" <oauth at ietf.org>
> 件名: Re: [OAUTH-WG] 'immediate' without identity
> On 2010-05-24, at 8:55 AM, Eran Hammer-Lahav wrote:
>>> -----Original Message-----
>>> From: Dick Hardt [mailto:dick.hardt at gmail.com]
>>> Sent: Monday, May 24, 2010 7:35 AM
>>> To: Eran Hammer-Lahav
>>> Cc: OAuth WG (oauth at ietf.org)
>>> Subject: Re: [OAUTH-WG] 'immediate' without identity
>>> You were looking for use cases for immediate without identity.
>>> I agree that *if* the client does know the user, then it should
>>> tell the server.
>>> Are you saying that if the client does not know the user it should
>>> not use
>> I think the server should reject an immediate request without a
>> username. Otherwise the server will be giving the client an access
>> token that belongs to another user.
> Now I understand. I agree.
> -- Dick
> OAuth mailing list
> OAuth at ietf.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab