On Wed, Jul 16, 2008 at 12:38 PM, Anders Feder <[EMAIL PROTECTED]> wrote:
> tir, 15 07 2008 kl. 21:28 -0700, skrev John Panzer:
>> And of course any number of extensions could be created to obtain an
>> access token via an alternate path, after which normal OAuth can be
>> used.
> Sure, but isn't this equally true for OpenID?

Most OpenID RPs maintain some kind of session for the user, but that
is not required by the spec (some require OpenID auth to perform each

In contrast, the whole point of OAuth is to generate an authorisation
token that can be used for machine access to a site multiple times in
the future.  The OAuth service provider might use OpenID when deciding
whether to grant an authorisation token to a client to access the site
on behalf of a particular user if appropriate.

specs mailing list

Reply via email to