[OpenID] About Facebook, MySpace and OpenID

Peter Williams pwilliams at rapattoni.com
Sun Apr 5 17:41:25 UTC 2009

> -----Original Message-----
> From: Deron Meranda [mailto:deron.meranda at gmail.com]
> Sent: Sunday, April 05, 2009 10:32 AM
> To: Peter Williams
> Cc: general
> Subject: Re: [OpenID] About Facebook, MySpace and OpenID

> On Sun, Apr 5, 2009 at 1:04 PM, Peter Williams
> <pwilliams at rapattoni.com> wrote:
> > The context is one of an OP minting an openid assertion, which
> creates an RP session based on asking for n attributes. But, if I as RP
> ask for another assertion 59 minutes later, I don’t expect as an RP to
> be asking for more or less attributes at that point (just because some
> or other set was or was not requested/delivered last time). I just ask
> for another assertion, and indicate that I need the OP to (still)
> represent the n attributes as (then) accurate, etc.
> Sure, that's valid.  But also as an RP you shouldn't expect that just
> because
> you ask for an attribute that you'll get it back if the answer is still
> the same
> as the last time you asked.  This is a protocol/bandwidth optimization
> thing
> that Google is doing; but it doesn't fundamentally change the
> correctness
> does it?  (other than requiring the RP maintain state between
> requests).

[Peter Williams] Aha.

Does openid auth conformance *require* the RP to maintain state, or does Google's implementation *require* the RP to maintain state?

If it’s the protocol, it gets added to the testing suite. RPs failing to retain the required state may be labeled non-conforming (or, in openid culture "not OSIS tested " -- to be politically correct.) If it’s the implementation, we get to debate the propriety of the OPs implementation in an open community.

More information about the general mailing list