On Tue, Jan 18, 2011 at 12:44 PM, Gabriel Klein <[email protected]> wrote: > > I think it's a quite interesting flow, because it's more and more > frequent to delegate the authentication to another website/service. > (Even more when you are not part of the biggest sites.)
Perhaps I don't understand all the details of your flow here but, more generally, when resource owner authentication is delegated/federated to another website/service, wouldn't it make sense to just allow the authorization endpoint to authenticate via OpenID, SAML, FB, MS, Twitter, whatever and keep OAuth agnostic to the means of authentication? Per http://tools.ietf.org/html/draft-ietf-oauth-v2-12#section-3.1, "The way in which the authorization server authenticates the resource owner (e.g. username and password login, session cookies) is beyond the scope of this specification." I believe that resource owner authentication was left out of scope intentionally to allow for such a separation of concerns. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
