"I had personally requested the OIDC community about six months ago to describe some minimal subset which we could all reasonably implement. I was told that the specification was "locked down" and fully debugged and so on, so no changes could be made. Imagine my surprise to find that in the final drafts there was a whole new flow - the hybrid flow - that had been added at the last minute. I had never heard of the hybrid flow in the OAuth context - have you? So now you have an even larger specification!"
Prateek, The hybrid flow wasn't new at all. It was an editorial change that attempted to better explain multiple response types like code+token, which is something allowed for by OAuth http://tools.ietf.org/html/rfc6749#section-8.4 and used in Connect since the very beginning (at least as long as I'd been involved, which is 2+ years). Nothing was added to the actual protocol. On Wed, May 14, 2014 at 6:37 PM, Prateek Mishra <prateek.mis...@oracle.com>wrote: > Anil, > > the challenge is that OIDC is a rather large set of specifications, and to > my knowledge even the core specification has NOT found > a complete implementation at any large IdP. I am not talking here about > boutique toolkits or startups, I am talking about the folks > who have 100s of millions of users. And, BTW, implementing a few > arbitrarily selected features from OIDC is not the same as implementing > OIDC. > > As we all know, the core problem is that of adding an authenticator token > to OAuth flows, which is a rather modest extension to OAuth. > > I had personally requested the OIDC community about six months ago to > describe some minimal subset which we could all reasonably implement. I was > told that the specification was "locked down" and fully debugged and so > on, so no changes could be made. Imagine my surprise to find that in the > final drafts there was a whole new flow - the hybrid flow - that had been > added at the last minute. I had never heard of the hybrid flow in the OAuth > context - have you? So now you have an even larger specification! > > The value of draft-hunt-oauth-v2-user-a4c-01 is that it describes > precisely a minimal extension to OAuth flows to support an authenticator > token. In my experience, this is the subset that most customers and > implementors are looking for. > > > - prateek > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
