Raffi, You said, "sends along the user object ass part of it".
Does that explain why the user object is in some cases a bit bloated? On Feb 10, 1:31 pm, Raffi Krikorian <ra...@twitter.com> wrote: > > The term most frequently used for “delegator” is “relying party.” What you > > call the service provider is most frequently called the “identity provider.” > > What you call the consumer is usually called the “subject.” See OpenID, > > InfoCard, and other similar specifications for example usage of these terms. > > > i hear all this - it just gets a bit complicated with because we are > > conflating this with our oauth situation. perhaps its time to move to an > oauth + openID hybrid system. > > > The subject does not want just **anybody** to verify his identity; he > > only wants the **relying party** to be able to verify his identity. So, > > the subject needs to be able to identify the relying party in the string he > > signs. Then the identity provider needs to be able to verify that the > > relying party is the one making the request, so the relying party needs to > > sign the request with its OAuth credentials. > > in the general case, i completely understand this, in the twitter case, > however, i'm not so sure? either way, as i said, i believe this in the > general case, and i will modify to account for this. > > > The subject doesn’t want the relying party to have access to the entire > > response from the account/verify_credentials request as if he had given the > > relying party read access to his account. I am not sure if > > account/verify_credentials returns sensitive information (information only > > available to apps that have been authorized by the user) yet, but I think it > > is likely in the future that it will do so. It would be prudent to have > > delegation use a different resource designed specifically for delegation. > > i think this is again a general case vs a twitter case. i think in the > general case, the delegator would call some endpoint that would simply > verify the identity through a HTTP code (2xx for success, 4xx for failure). > twitter, as a special case, sends along the user object ass part of it? > > > Also, it would be great if the consumer could require the delegator to also > > use TLS when verifying the identity. Maybe OAuth Wrap/2.0 will mandate HTTPS > > for this? > > that's going towards the oauth 2.0/wrap world. when i write this up to > account for oauth 2.0/wrap, i'll note that ssl is required. > > this has been great! > > -- > Raffi Krikorian > Twitter Platform Teamhttp://twitter.com/raffi