Before you embark upon a particular implementation path, you should ask yourself some questions about what you need in your specific application and what’s available to you from a particular provider that you are trying to integrate.
The first question that you should ask yourself before embarking upon any approach is “What does my provider support?” Clearly, if you’re working with a service that’s an OpenID provider but does not offer OAuth, you should not be looking into a hybrid auth approach.
When working with a standard OpenID implementation, you simply need to find out two things:
If the first answer is “yes,” and you have the discovery URL, you’re ready to begin integrating OpenID authentication into your site.
Now, if you’re looking into a hybrid auth approach, you’ll not only need to answer the preceding questions about OpenID, but also a number about OAuth and hybrid auth, such as:
Does the provider I’m working with support OAuth?
Does the provider I’m working with support hybrid auth to allow me to obtain a preapproved request token from OpenID, in order to exchange it for an OAuth access token?
If the answers to the preceding questions are also “yes,” then you are ready ...