Manger, James H wrote: > Ideally, an app would attempt to access a protected resource at an SP and get: > * A 401 Unauthenticated response from the SP; with > * A “WWW-Authenticate: OAuth” header; with > * A parameter providing the authorization URL; and > * Another parameter with the OP URL (when OpenID/OAuth hybrid was supported). >
One problem with this approach is that many SPs like Yahoo and MySpace will require developers to register their site to get a Consumer Key. Given that the developer already has to manually get a CK, there might not that much value in defining a workflow for Consumers to discover the OAuth endpoints. Allen _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs