On Tue, Nov 18, 2008 at 7:45 PM, Martin Atkins <[EMAIL PROTECTED]> wrote: > Allen Tom wrote: >> Manger, James H wrote: >>> Ideally, an app would attempt to access a protected resource at an SP and >>> get: >>> * A 401 Unauthenticated response from the SP; with >>> * A "WWW-Authenticate: OAuth" header; with >>> * A parameter providing the authorization URL; and >>> * Another parameter with the OP URL (when OpenID/OAuth hybrid was >>> supported). >>> >> >> One problem with this approach is that many SPs like Yahoo and MySpace >> will require developers to register their site to get a Consumer Key. >> Given that the developer already has to manually get a CK, there might >> not that much value in defining a workflow for Consumers to discover the >> OAuth endpoints. >> > > As long as this is true it will be impossible for such SPs to expose > non-proprietary protocols like PortableContacts, so either these SPs > will need to find a way to work without pre-registration or we'll all > have to accept that the open stack is impossible and go find something > more productive to do.
At this point, there is no reasonably secure formulation of OAuth without key registration. We hope to add one for the hybrid protocol. > > _______________________________________________ > specs mailing list > [email protected] > http://openid.net/mailman/listinfo/specs > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
