Raffi Krikorian wrote:
i think this experiment in engaging the community around designing this security/identity workflow has been definitely a success, and i feel we're rapidly converging on a solution for identity verification delegation. in parallel, we're going to start the process to engage our media providers in the conversation as well, and we're hopeful we can move this forward quickly.
Could you explain how "OAuth Echo" works with OAuth WRAP/2.0?
Would it be possible for you to skip the OAuth 1.0a version of Echo and just deploy the WRAP/2.0 version? Otherwise, clients are going to get stuck with having to implement BOTH versions, as some delegators will surely implement only the OAuth 1.0a version, while others only implement the WRAP version. Similarly, delegators will probably feel pressure to support both versions, as some clients will only implement one or the other.
xAuth vs. the WRAP username/password profile is not such a big problem because client implements can just keep using Basic Auth until you support the WRAP username/password profile, and skip xAuth completely (unless they need to take advantage of the higher rate limits for xAuth).
in general, we really like WRAP/2.0 because it's just /so/ easy to implement from the client side. there are no longer questions around creating the proper signature base string, etc. we're sure that developers will like it as well. we've started work on an internal implementation of OAuth WRAP and we envision that we'll simultaneously support both OAuth 1.0a and WRAP/2.0 for a while. our hope is to get WRAP out the door soon (and before we finally deprecate basic authentication).
Thanks, Brian
