[OpenID] OAuth vs. AX

Andrew Arnott andrewarnott at gmail.com
Sat Apr 4 03:17:48 UTC 2009


AX has this push mechanism that allows OPs to notify RPs when attribute
values have changed.  I've never heard of this being used.  RPs probably do
want to know when their user's data has changed, but AX push is too scary,
too poorly supported, or something.
But what if we took a different approach.  What if instead of AX, we used
OAuth.  Follow me on this.

Send an OAuth request for permissions to a user's email address, rather than
an AX request for the email address itself.  Then the RP can request the
user's email address whenever it wants it, whether or not the user is
currently authenticating.

What does this buy you?  Ok, not a lot.  But it's an interesting use case
for OAuth that I think we should consider.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/21e95b74/attachment-0002.htm>


More information about the general mailing list