[OpenID] Simple Registration: why have "required" fields?

Simon Willison simon at simonwillison.net
Thu Mar 1 16:43:06 UTC 2007

I've been experimenting with simple registration recently [1]. One
thing I don't understand about it is why it differentiates between
'required' and 'optional' fields, since surely the relying party
should specifically request any data that hasn't been provided by the
identity provider.

Case in point: I tried to sign up for an account on http://grou.ps/
using my simonwillison.net OpenID, which doesn't support simple
registration. When I was redirected back to grou.ps I got a nasty
error message:

"OpenID server does not return your email appropriately"

That was the whole page - there was no form to enter my e-mail address there.

You could argue that this is a problem with grou.ps - I e-mailed them
to suggest that they change their implementation. But the very
existence of openid.sreg.required would seem to suggest that sites can
do this kind of thing if they want to. It said "required", so why
cater for identity providers that don't fulfil the contract?

I would suggest removing the distinction between required and optional
fields entirely, since that is a policy decision that should be
handled entirely at the relying party's end (by refusing to let people
sign up until they manually enter the required fields, for example).



[1] http://www.openidenabled.com/openid/simple-registration-extension

More information about the general mailing list