[OpenID] About Facebook, MySpace and OpenID

SitG Admin sysadmin at shadowsinthegarden.com
Sat Apr 4 00:05:52 UTC 2009


>If I were to read the spec on its own as an OP I would probably come 
>to the conclusion that what I need is an interface that shows the RP 
>has requested:
>1. A set of information that is purely optional and they will 
>provide service even if the information is not provided.
>2. A set of information that the RP may restrict or deny service if 
>I don't provide.

The point of overlap there is "restrict". RP's could provide some 
service if their key requirements are met, but additional (optional) 
attributes would be required to "unlock" other services. Since the RP 
would not deny service entirely if those additional attributes were 
withheld, it is not "required", but service will still be restricted 
if less than everything is available.

For instance, a non-specialized Relying Party might provide E-mail 
alerts, SMS alerts, a dating service, a snail-mail proxy (mail is 
accepted for you at their address, then they redeliver it to your 
doorstep without exposing you to home invasion or snail spam), a $25 
gift certificate useable at any of their allied stores but only as a 
birthday present - if you give them an E-mail address they will do 
#1, if you give them your phone number they will do #2, if you give 
them your full name they will do #3, if you give them your home 
address they will do #4, and if you give them your date of birth they 
will give you #5; there is no single attribute which MUST be present 
or the whole service is unavailable, but with none of that 
information they cannot give you anything.

>I let the user select or deselect any of there available attributes 
>and send back a positive response unless the user decides to cancel 
>the login.
>This includes not sending back required attributes.

I strongly agree with this. OP's should not force an all-or-nothing 
response upon their users.

-Shade



More information about the general mailing list