On Tue, Nov 18, 2008 at 6:26 PM, Allen Tom <[EMAIL PROTECTED]> wrote: > Manger, James H wrote: >> Ideally, an app would attempt to access a protected resource at an SP and >> get: >> * A 401 Unauthenticated response from the SP; with >> * A "WWW-Authenticate: OAuth" header; with >> * A parameter providing the authorization URL; and >> * Another parameter with the OP URL (when OpenID/OAuth hybrid was supported). >> > > One problem with this approach is that many SPs like Yahoo and MySpace > will require developers to register their site to get a Consumer Key. > Given that the developer already has to manually get a CK, there might > not that much value in defining a workflow for Consumers to discover the > OAuth endpoints.
I believe this technical problem will be solved anyway by the integrated OpenID/OAuth discovery mechanism via XRD (currently under discussion). As Allen remarks, though, its value will be limited while manual registration is required by most service providers. > > Allen > > > > _______________________________________________ > specs mailing list > [email protected] > http://openid.net/mailman/listinfo/specs > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
