On Mon, Nov 24, 2008 at 5:34 PM, Manger, James H <[EMAIL PROTECTED]> wrote: > Section 5 Discovery of the OpenID/OAuth hybrid draft spec says > <xrd:Type>http://specs.openid.net/extensions/oauth/1.0</xrd:Type> > should appear in the XRDS discovery document to indicate support for the > protocol. > > > This doesn't seem to be the right way around. > > Discovery is performed on a user's OpenID identifier. It does not make sense > for a user to indicate if an OP supports the hybrid protocol. > Additionally, support cannot be indicated by users who use an HTML page for > their OpenID identifier (with an <link rel="openid2.provider" href="..."/> > element). > > An OP could indicate that it supports the hybrid protocol in its own XRDS > file, assuming all users use directed identity and they all use the same OP > XRDS file. I hope we don't have to hardwire these assumptions into the hybrid > spec.
The fact that the OP indicates support for hybrid has nothing to do with directed identity, of whether or not they use the same XRDS file. > Even in this case, however, indicating hybrid support at the OP is not of > much use if the RP/consumer cannot tell which protected resources are covered. > > For example, adding the hybrid indicator to the Yahoo OP XRDS file > <http://open.login.yahooapis.com/openid20/www.yahoo.com/xrds> does not tell > an app if it can use the hybrid protocol to access: > * Yahoo email address book (probably); > * Flickr photos (maybe?, it is owned by Yahoo); > * Microsoft hotmail (perhaps not currently, but a Yahoo/Microsoft merger was > discussed earlier this year); > * Picassa photos (presumably not, as it is owned by Google). > This is out of scope for this spec, because OAuth discovery is under development. > > Discovery could work if the metadata for the OAuth Service Provider indicated > it supports the hybrid protocol with a specific OP. > > [My preferred way to indicate this would be: a request to a protected > resource receiving a "401 Unauthenticated" response with a "WWW-Authenticate" > HTTP header that included the URL of the OP. If that OP URL matches the OP > found from OpenID discovery on the user's OpenID identifier then the app can > use the hybrid protocol.] > > > > > James Manger > [EMAIL PROTECTED] > Identity and security team — Chief Technology Office — Telstra > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
