And given that the server would return one token good for both the `openid` and `calendar` scopes, leaking it via HTTP cookies would be bad. Thus in my proposal the access token remains secret and is useful for a variety of scopes while the signature – sure another form of a "token" – can become public and not compromise security.<div>
<br></div><div>--David</div><div><br><br><div class="gmail_quote">On Wed, May 19, 2010 at 8:18 PM, Allen Tom <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Whoa, I think it’s premature to say that Yahoo supports OpenID Connect, but I would imagine that only a single Access Token would be returned to <a href="http://coolcalendar.com" target="_blank">coolcalendar.com</a> – the Access Token would presumably be good for both “openid” and “calendar” scope. Why would the OP want to return 2 tokens?<br>
<br>
Allen<br>
<br>
<br>
On 5/19/10 5:27 PM, "Dirk Balfanz" <<a href="http://balfanz@google.com" target="_blank">balfanz@google.com</a>> wrote:<br>
<br>
</span></font><blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br>
Let's say I'm <a href="http://coolcalendar.com" target="_blank">coolcalendar.com</a> <<a href="http://coolcalendar.com" target="_blank">http://coolcalendar.com</a>> , and I want to "connect" one of my user's accounts to his Yahoo! account. I don't want to roll my own auth system, so I'm happy to see that Yahoo! supports OpenID Connect. To connect, I'll send the user over to Yahoo! with scope=openid%20yahoo-calendar. What I get back, in your proposal, is two different kinds of "tokens": the access token that my servers use to access Yahoo! and something I'll call "openid connect token" (which in your proposal comprises a few different parameters - user id, timestamp, signature, etc.) that browsers use (in form of a cookie) to access my own servers at <a href="http://coolcalendar.com" target="_blank">coolcalendar.com</a> <<a href="http://coolcalendar.com" target="_blank">http://coolcalendar.com</a>> . <div class="im">
<br>
<br>
Why do those two tokens look different? They serve the same purpose - authenticating access from a client to a server, so they should look the same. <br>
<br>
Why should Yahoo! run different code to authenticate requests coming from my server than the code I'm running on my servers to authenticate requests coming from browsers - we have to solve the same task, so we should run the same code. It's simpler. <br>
<br>
</div></span></font></blockquote>
</div>
</blockquote></div><br></div>