On Wed, Jul 16, 2008 at 12:38 PM, Anders Feder <[EMAIL PROTECTED]> wrote: > tir, 15 07 2008 kl. 21:28 -0700, skrev John Panzer: >> And of course any number of extensions could be created to obtain an >> access token via an alternate path, after which normal OAuth can be >> used. > > Sure, but isn't this equally true for OpenID?
Most OpenID RPs maintain some kind of session for the user, but that is not required by the spec (some require OpenID auth to perform each action). In contrast, the whole point of OAuth is to generate an authorisation token that can be used for machine access to a site multiple times in the future. The OAuth service provider might use OpenID when deciding whether to grant an authorisation token to a client to access the site on behalf of a particular user if appropriate. James. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs