[step2] Re: OpenID Popup Extension - Draft 0
George Fletcher
gffletch at aol.com
Mon Feb 16 21:08:07 UTC 2009
I'm fine with that approach:) It would be nice to support both signed
and unsigned authn requests. Unsigned requests get no UI customizations.
I see this kind-of mentioned in the 2.1 WG charter (under exploratory
work). I'm just worried that something like this
(ConsumerKey/ConsumerSecret for AssociationHandle/Association) will get
dropped because of backward compatibility issues.
I'd much prefer to tie UI customizations to an OAuth CK (from a security
perspective). I suppose in the mean time, an OP could use the RP realm
and RP discovery in place of a CK and still provision the data
out-of-band. In addition, it would be good to define some UI specs and
best practices around this as well so that RP's can define the UI
elements once and they should work with most OPs.
This is getting further and further away from the popup extension so may
be needs it's own thread.
Thanks,
George
Allen Tom wrote:
> Probably the simplest thing would be to turn
> AssocationHandle/Association into ConsumerKey/ConsumerSecret and require
> the Auth request to be signed.
>
> Allen
>
> George Fletcher wrote:
>
>> Maybe the OpenID 2.1 WG could take on "signed RP authn requests" :)
>> Could probably just leverage 2-legged OAuth with the consumer
>> token:secret representing the RP.
>>
>>
>>
>
>
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups "Step2" group.
> To post to this group, send email to step2 at googlegroups.com
> To unsubscribe from this group, send email to step2+unsubscribe at googlegroups.com
> For more options, visit this group at http://groups.google.com/group/step2?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>
>
More information about the user-experience
mailing list