Dirk Balfanz wrote: > I'm not sure I understand what the commotion is about :-) > > OAuth discovery (when it is done), will answer the question: given the > URL of a resource, where do I go to get access tokens for that resource. > The question answered by the XRD element described in Section 5 is "does > this OpenID endpoint support the Hybrid protocol". These two questions > are somewhat related, but clearly different. And, yes, the latter is not > nearly as exciting as the former. >
What is a consumer intended to do with this information? Telling me that the OpenID provider also supports the OAuth hybrid protocol is not useful alone. It's not like I can just take any OAuth token in the world and feed it to this endpoint. More useful, I think, would be to have the OAuth discovery information *at the service endpoint* say that "the OAuth authorization URL for this service is <some-url>, and the combined OpenID/OAuth endpoint for this service is <some-other-url>". The first part of this will presumably be catered for by OAuth discovery. The second part seems like it ought to be an extension to OAuth discovery, though I don't have a good answer for what exactly it'd look like on the wire. As currently speced, I'm not sure what problem that section is addressing or what value it provides. Perhaps for now it'd be better to take that part out of the Hybrid Protocol specification and defer that problem until it's clearer how OAuth discovery will work in general. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs