On Fri, Oct 2, 2009 at 11:12 AM, Justin Hart <onyxraven at gmail.com> wrote: > In the discovery-sense, could realm define the URL to the discovery > document, which would then define the complex validity-realm information as > well as all the appropriate endpoints, etc? Seems like building that in > could help solve any 'magic' url in the discovery phase. Seems like a > reasonable use of the parameter. That approach caused a fundamental security hole in the first OAuth discovery spec, where an evil resource could steal credentials from a good credential issuer. I'm not saying it's not a solvable problem, but it is complicated, and I just haven't seen a whole lot of use cases for a generic solution. (As an example of how completely useless current working definitions of "realm" really are, check out http://code.google.com/p/browsersec/wiki/Part3#HTTP_authentication.) Cheers, Brian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.