> The term most frequently used for “delegator” is “relying party.” What you
> call the service provider is most frequently called the “identity provider.”
> What you call the consumer is usually called the “subject.” See OpenID,
> InfoCard, and other similar specifications for example usage of these terms.
> i hear all this - it just gets a bit complicated with because we are
conflating this with our oauth situation. perhaps its time to move to an
oauth + openID hybrid system.
> The subject does not want just **anybody** to verify his identity; he
> only wants the **relying party** to be able to verify his identity. So,
> the subject needs to be able to identify the relying party in the string he
> signs. Then the identity provider needs to be able to verify that the
> relying party is the one making the request, so the relying party needs to
> sign the request with its OAuth credentials.
in the general case, i completely understand this, in the twitter case,
however, i'm not so sure? either way, as i said, i believe this in the
general case, and i will modify to account for this.
> The subject doesn’t want the relying party to have access to the entire
> response from the account/verify_credentials request as if he had given the
> relying party read access to his account. I am not sure if
> account/verify_credentials returns sensitive information (information only
> available to apps that have been authorized by the user) yet, but I think it
> is likely in the future that it will do so. It would be prudent to have
> delegation use a different resource designed specifically for delegation.
i think this is again a general case vs a twitter case. i think in the
general case, the delegator would call some endpoint that would simply
verify the identity through a HTTP code (2xx for success, 4xx for failure).
twitter, as a special case, sends along the user object ass part of it?
> Also, it would be great if the consumer could require the delegator to also
> use TLS when verifying the identity. Maybe OAuth Wrap/2.0 will mandate HTTPS
> for this?
that's going towards the oauth 2.0/wrap world. when i write this up to
account for oauth 2.0/wrap, i'll note that ssl is required.
this has been great!
Twitter Platform Team