8. Requesting Authentication
When requesting OpenID Authentication via the protocol mode "checkid_setup" or "checkid_immediate", this extension can be used to
request that the end user authorize an OAuth access token at the same time as an OpenID authentication. This is done by sending the
following parameters as part of the OpenID request. (Note that the use of "oauth" as part of the parameter names here and in
subsequent sections is just an example. See Section 5 for details.)
REQUIRED. Value: "http://specs.openid.net/extensions/oauth/1.0".
REQUIRED. Value: The consumer key agreed upon in Section 7 .
OPTIONAL. Value: A string that encodes, in a way possibly specific to the Combined Provider, one or more scopes for the
OAuth token expected in the authentication response.
9. Authorizing the OAuth Request
If the OpenID OAuth Extension is present in the authentication request, the Combined Provider SHOULD verify that the consumer key
passed in the request is authorized to be used for the realm passed in the request. If this verification succeeds, the Combined Provider
SHOULD determine that delegation of access from a user to the Combined Consumer has been requested.
The Combined Provider SHOULD NOT issue an approved request token unless it has user consent to perform such delegation.
10. Responding to Authentication Requests
If the OpenID authentication request cannot be fulfilled (either in failure mode "setup_needed" or "cancel" as in Sections 10.2.1 and
10.2.2 of [OpenID] ) then the OAuth request SHOULD be considered to fail and the Provider MUST NOT send any OpenID OAuth
Extension values in the response.
The remainder of this section specifies how to handle the OAuth request in cases when the OpenID authentication response is a positive
assertion (Section 10.1 of [OpenID] ).
If the end user does wish to delegate access to the Combined Consumer, the Combined Provider MUST include and MUST sign the
REQUIRED. Identical value as defined in Section 8 .
REQUIRED. A user-approved request token.
OPTIONAL. A string that encodes, in a way possibly specific to the Combined Provider, one or more scopes that the returned
request token is valid for. This will typically indicate a subset of the scopes requested in Section 8 .
To note that the OAuth Authorization was declined or not valid, the Combined Provider SHALL only respond with the parameter