Re: OpenID/OAuth hybrid - without app pre-registration

[Breno de Medeiros]

I will answer this question with two possibilities:

1. Auto-registration. We have done some research at Google to allow
auto-registration of consumer keys (as a possible OAuth extension).
This did not make into the first version of our proposal for OAuth for
unregistered consumers, but we may want to revisit this with the broad
OpenID/OAuth community at some point. Our initial results in that area
did influence our thinking that we could drop the request token
request in the hybrid (which would introduce severe inefficiencies in
the hybrid).

2. Yes, the case you are providing could be compelling in the absence
of an auto-registration mechanism. However, we are really delaying the
unregistered consumer issue because until such time as there is a
hybrid protocol at all, and a stable mechanism for OAuth discovery,
the benefit is minimal of tackling unregistered consumers.

We believe (by having played with these ideas for a while now) that
the current proposal for hybrid will accommodate unregistered
consumers eventually, but that additional pieces to provide better
security and usability will be necessary to make it work in that case.


On Tue, Nov 25, 2008 at 11:22 PM, Martin Atkins <[EMAIL PROTECTED]> wrote:
> Breno de Medeiros wrote:
>>
>> The consumer key is an independent issue of pre-registration. Say a
>> site hosts multiple apps. The realm indicates the site, the consumer
>> key indicates the app. The presence of the consumer key (even in a
>> scenario without pre-registration requirements) is useful to indicate
>> to the user information about the request.
>>
>> This turns out to be particularly important in the un-registered case,
>> where the consumer could provide a descriptive key. In the case of
>> registered consumers, this will probably not be used to describe the
>> request in a user-visible way, but is useful for other purposes.
>>
>> Making it optional actually hurts interoperability. The idea is that
>> it can be a self-reported value in the case of unregistered consumers.
>>
>
> Can you give a concrete example of what you're arguing for?
>
> Are you imagining...
>
> oauth.consumer_key=Martin's Amazing Social Applicatioon
>
> or did you have something else in mind?
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: OpenID/Oauth hybrid [was Re: specs Digest, Vol 27, Issue 3]

[Dirk Balfanz]

On Tue, Nov 25, 2008 at 7:17 PM, Allen Tom <[EMAIL PROTECTED]> wrote:

>  Some more feedback:
>
> The first sentence in the Abstract should say "describes" instead of
> "describe."
>

Done.


>
> The phrase "OpenID OAuth Extension" is not consistently capitalized in the
> spec. For instance, it's capitalized in the first sentence in section 3, but
> "extension" is lowercase in section 4.  Sections 5 and 8 call it the OAuth
> extension, rather than the OpenID OAuth Extension.
>

Done.


>
> The second word in Section 7, "Requesting" should be all lowercase.
>

Done.


>
> In Section 7, the phrase "this extension can be used to request that the
> end user authorize an OAuth token" should probably be clarified to say that
> the user is authorizing an OAuth Access token.
>

Done. This assumes that "authorizing an access token" is the same as
"approving a request token that can be exchanged for an access token".


>
> In the last sentence of Section 8, the phrase "SHOULD not" should be in all
> caps, "SHOULD NOT."
>

Done.


>
> I recommend that the phrase "Combined Consumer" be used instead of simply
> "Consumer" everywhere in the spec. The third paragraph in section 9, and the
> description for OAuth token secret in Section 10 still say Consumer.
>

Done.


>
> In Section 10, is the Access Token endpoint discoverable? I guess that's
> out of scope for this spec.
>

Yes it should be discoverable, but we don't know yet how that will work.
According to Eran, The Right Way to do this is provide meta-data for the
OpenID endpoint, and have that point to the access token endpoint. So you
would serve something like this as the meta-data for your actual OpenID
endpoint:


  http://specs.openid.net/auth/2.0/server
  http://specs.openid.net/extensions/oauth/1.0

  
http://oauth.net/core/1.0/endpoint/access
http://url-of-the-access-token-endpoint/
  


But this kind of stuff has yet to gel in the various committees looking at
discovery. As far as I know, in current versions of XRD(S), you can't have
 elements underneath  elements. Once that's all sorted out, we
should probably include it in the spec. Although it might be that it falls
out automatically out of XRD in general and OAuth discovery in particular,
i.e. we would basically just have to remind the reader of how to put those
other pieces together to make the access token endpoint discoverable.



>
> In Section 10, and perhaps also in Section 12, the spec should mention that
> because the hybrid protocol does not have a request token secret, and
> because the user is never required to manually type in the request token
> (unlike in OAuth), the hybrid Request Token probably should be longer and
> harder to guess than the standard OAuth Request Token. At least for our
> implementation, I'm thinking that the hybrid RT == OAuth's RT+RTSecret.
>

But you need to have the consumer secret to exchange it, no? What if it were
just a incrementing integer? What would the attack be?


>
>
> I think the spec is getting pretty close.
>

Thanks again, Allen - this is really helpful!

Dirk.


>
> thanks
> Allen
>
>
>
>
> Dirk Balfanz wrote:
>
>
>> Otherwise, the spec is looking pretty good!
>>
>
>  Great! We're officially calling it Draft 1 now :-) (the previous version
> was Draft 0).
>
>
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs