> > The term most frequently used for “delegator” is “relying party.” What you > call the service provider is most frequently called the “identity provider.” > What you call the consumer is usually called the “subject.” See OpenID, > InfoCard, and other similar specifications for example usage of these terms. > > i hear all this - it just gets a bit complicated with because we are conflating this with our oauth situation. perhaps its time to move to an oauth + openID hybrid system.
> The subject does not want just **anybody** to verify his identity; he > only wants the **relying party** to be able to verify his identity. So, > the subject needs to be able to identify the relying party in the string he > signs. Then the identity provider needs to be able to verify that the > relying party is the one making the request, so the relying party needs to > sign the request with its OAuth credentials. > in the general case, i completely understand this, in the twitter case, however, i'm not so sure? either way, as i said, i believe this in the general case, and i will modify to account for this. > The subject doesn’t want the relying party to have access to the entire > response from the account/verify_credentials request as if he had given the > relying party read access to his account. I am not sure if > account/verify_credentials returns sensitive information (information only > available to apps that have been authorized by the user) yet, but I think it > is likely in the future that it will do so. It would be prudent to have > delegation use a different resource designed specifically for delegation. > i think this is again a general case vs a twitter case. i think in the general case, the delegator would call some endpoint that would simply verify the identity through a HTTP code (2xx for success, 4xx for failure). twitter, as a special case, sends along the user object ass part of it? > Also, it would be great if the consumer could require the delegator to also > use TLS when verifying the identity. Maybe OAuth Wrap/2.0 will mandate HTTPS > for this? > that's going towards the oauth 2.0/wrap world. when i write this up to account for oauth 2.0/wrap, i'll note that ssl is required. this has been great! -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi