[Openid-specs-ab] Direct Request Authentication
sakimura at gmail.com
Fri May 28 01:40:12 UTC 2010
In Draft07, I might have overdone a little about the direct assertion
I wrote it as:
8.1.5. RP requests Assertion directly to the OP
To obtain the assertion through direct request, the RP MUST
authenticate against the OP. There are two ways of doing it, namely:
Through the use of client_secret
Through the use of asymmetric signature
It propbably shoud be SHOULD instead of MUST.
Like Yahoo!'s use case, provided the "code" has sufficient entropy and
there are cases that you just want to submit the bearer token only to
get the result.
Nat Sakimura (=nat)
More information about the Openid-specs-ab