> The term most frequently used for “delegator” is “relying party.” What you
> call the service provider is most frequently called the “identity provider.”
> What you call the consumer is usually called the “subject.” See OpenID,
> InfoCard, and other similar specifications for example usage of these terms.
> i hear all this - it just gets a bit complicated with because we are
conflating this with our oauth situation.  perhaps its time to move to an
oauth + openID hybrid system.

>  The subject does not want just **anybody** to verify his identity; he
> only wants the **relying party** to be able to verify his identity. So,
> the subject needs to be able to identify the relying party in the string he
> signs. Then the identity provider needs to be able to verify that the
> relying party is the one making the request, so the relying party needs to
> sign the request with its OAuth credentials.
in the general case, i completely understand this, in the twitter case,
however, i'm not so sure?  either way, as i said, i believe this in the
general case, and i will modify to account for this.

> The subject doesn’t want the relying party to have access to the entire
> response from the account/verify_credentials request as if he had given the
> relying party read access to his account. I am not sure if
> account/verify_credentials returns sensitive information (information only
> available to apps that have been authorized by the user) yet, but I think it
> is likely in the future that it will do so. It would be prudent to have
> delegation use a different resource designed specifically for delegation.

i think this is again a general case vs a twitter case.  i think in the
general case, the delegator would call some endpoint that would simply
verify the identity through a HTTP code (2xx for success, 4xx for failure).
 twitter, as a special case, sends along the user object ass part of it?

> Also, it would be great if the consumer could require the delegator to also
> use TLS when verifying the identity. Maybe OAuth Wrap/2.0 will mandate HTTPS
> for this?
that's going towards the oauth 2.0/wrap world.  when i write this up to
account for oauth 2.0/wrap, i'll note that ssl is required.

this has been great!

Raffi Krikorian
Twitter Platform Team

Reply via email to