The next step in the hybrid auth process is for the provider to deliver an approved or failed state back to the relaying party so that the relaying party knows whether it can exchange the preapproved OAuth request token for an access token to complete the hybrid process.
The components of this step are identical to those of the OpenID process. The user has gone through the authentication process in step 3 and will now be forwarded to the callback with the response state from the provider, as displayed in Figure 12-2.
Figure 12-2. Hybrid auth, step 4: Provider returns OpenID approved/failed response
The OpenID provider will first process the user authentication and generate a response to the provider site. This response will either include an approved state or one of several possible failed states, depending on the outcome of the user authentication.
If the provider returns an approved state, the response object (generally sent via query string parameters) will include all parameters required to complete the OpenID process as well as any OpenID extension responses.
Besides the OpenID response, the parameter passed to the
return_to location that we really care about
for the OAuth piece of the puzzle is
openid.oauth.request_token. This is the preapproved OAuth request token from the provider that we will need to ...