[OpenID] Google and AX

SitG Admin sysadmin at shadowsinthegarden.com
Sat Apr 4 05:50:32 UTC 2009


Wow. That . . . is totally not how I had expected AX to work.

I don't see this playing well with websites that endeavor to maintain 
their user's privacy by requesting data only when needed and 
discarding it as soon as possible. At the very least, can there be a 
stronger form of "required" that means "send me the latest/updated 
value, right now"?

-Shade

>I would say, another thing that Google does that may play into all
>this is that they don't always send AX attributes back at all.  If the
>RP and OP have communicated before concerning a certain
>identity; then the RP may actually get no attributes whatsoever
>on subsequent interactions (Google assumes that the RP will
>remember these attributes the first time, which means that in
>practice the RP will be forced to remember these attributes).
>
>This also coerces the RP to try to request ALL the attributes it thinks
>it might ever need the very first time it interacts with Google.  And since
>it also using is directed identity (where the RP doesn't know the identity
>before hand), this effectively means that the RP is going to have to
>request all the possible AX attributes it might ever desire for any user,
>effectively as a *requred* attribute, on every single request!  Because if
>it guesses wrong and decides not to ask for a particular attribute even
>once, it may then be locked out of ever getting that attribute in the future.



More information about the general mailing list