[Openid-specs-ab] To sign or to authenticate

Nat Sakimura sakimura at gmail.com
Wed May 26 15:15:18 UTC 2010


Hi ,

To make sure that the direct assertion request comes from
the correct client, we have two ways of doing it.

1) Authenticate the client using client_id and client_secret
2) Sign the request.

Option 1) is the course OAuth 2.0 is taking.
If we just use it, we do not need signed request format.

Down side of this option is that the client must
obtain and maintain the list of secret for each and every
OP.

Which would you think is better?

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en


More information about the Openid-specs-ab mailing list