[OpenID] Simple Registration: why have "required" fields?

Jonathan Daugherty cygnus at janrain.com
Thu Mar 1 16:55:17 UTC 2007

# You could argue that this is a problem with grou.ps - I e-mailed
# them to suggest that they change their implementation. But the very
# existence of openid.sreg.required would seem to suggest that sites
# can do this kind of thing if they want to. It said "required", so
# why cater for identity providers that don't fulfil the contract?

I can definitely see your point, but I think the problem is in the
spec wording.  The spec does say that the absence of sreg.required
values in the response ought to prevent the RP from completing the
registration, and that's what grou.ps is doing.  The intent (and the
behavior on most sites that support sreg) was for sreg to be *purely*
advisory.  Actually enforcing the RP's requirements at the IDP makes
the user experience worse.  The idea was for the sreg
required/optional data to be helpful in letting a user decide what
information to release, with some sense of what the requirement levels
are.  The spec should be updated to say that RPs SHOULD still present
a registration form if any of the desired information is not returned,
and the language for "openid.sreg.required" should be weakened.  RPs
will need to implement a registration form anyway, because not all
servers support sreg, and that's something else that should be very
clear in the spec.

  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid

More information about the general mailing list