<br><br><div class="gmail_quote">On Mon, Nov 24, 2008 at 10:06 PM, Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d">Dirk Balfanz wrote:<br>
> I'm not sure I understand what the commotion is about :-)<br>
><br>
> OAuth discovery (when it is done), will answer the question: given the<br>
> URL of a resource, where do I go to get access tokens for that resource.<br>
> The question answered by the XRD element described in Section 5 is "does<br>
> this OpenID endpoint support the Hybrid protocol". These two questions<br>
> are somewhat related, but clearly different. And, yes, the latter is not<br>
> nearly as exciting as the former.<br>
><br>
<br>
</div>What is a consumer intended to do with this information?<br></blockquote><div><br></div><div>It could decide to combine an OpenID auth request and an OAuth request into one hybrid request, instead of doing OpenID first, and then (once the user is logged in) doing OAuth. This information also tells the consumer where the auth-request endpoint of the Combined Provider is.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Telling me that the OpenID provider also supports the OAuth hybrid<br>
protocol is not useful alone. It's not like I can just take any OAuth<br></blockquote><div><br></div><div>Agreed.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
token in the world and feed it to this endpoint.<br>
<br>
More useful, I think, would be to have the OAuth discovery information<br>
*at the service endpoint* say that "the OAuth authorization URL for this<br></blockquote><div><br></div><div>Agreed. </div><div><br></div><div>These are not mutually exclusive. When performing discovery on a user-supplied identifier it's useful to say "the combined endpoint for this user-supplied identifier is over there". (We'll also need to be able to say "the request token you'll get from the combined endpoint can be exchanged for an access token over here" - but that will be covered in the OAuth discovery spec.) At the combined endpoint it would indeed make sense to say where the other OAuth URLs are (although the combined endpoint needs only one other OAuth URL - the access token endpoint).</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
service is <some-url>, and the combined OpenID/OAuth endpoint for this<br>
service is <some-other-url>". The first part of this will presumably be<br>
catered for by OAuth discovery. </blockquote><div><br></div><div>Yes.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">The second part seems like it ought to<br>
be an extension to OAuth discovery, though I don't have a good answer<br>
for what exactly it'd look like on the wire.<br></blockquote><div><br></div><div>The second part is exactly what is defined in Section 5. It's part of OpenID discovery (not OAuth), b/c the combined endpoint _is_ the OpenID endpoint (an OpenID endpoint that happens to speak the OAuth extension).</div>
<div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">As currently speced, I'm not sure what problem that section is<br>
addressing or what value it provides. Perhaps for now it'd be better to<br></blockquote><div><br></div><div>We're defining an OpenID extension. Consumer will want to know whether or not a given endpoint speaks that extension. That's all it's doing - just like AX or PAPE have a section on discoverability. It also gives consumers a way to look for the combined OpenID/OAuth endpoint (assuming that one day we'll have these massive XRD documents advertising all sorts of things - OAuth request token endpoints, portable contact endpoints, etc.).</div>
<div><br></div><div>Dirk.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
take that part out of the Hybrid Protocol specification and defer that<br>
problem until it's clearer how OAuth discovery will work in general.<br>
<div><div></div><div class="Wj3C7c"><br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@openid.net">specs@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</div></div></blockquote></div><br>