[OpenID] About Facebook, MySpace and OpenID

Deron Meranda deron.meranda at gmail.com
Mon Apr 6 16:54:20 UTC 2009

On Mon, Apr 6, 2009 at 12:25 PM, Breno de Medeiros <breno at google.com> wrote:
> Currently the user cannot deny sending the email attribute independently of
> canceling the request. However, if it were possible, on a subsequent request
> that includes an email attribute the user would be prompted to approve it
> and it would be sent.  There is no penalty to an RP for not asking for
> attributes that they do not need in the particular context of a request.

Breno, do you think somebody at Google can perhaps update the
documentation <http://code.google.com/apis/accounts/docs/OpenID.html>
to make it more clear to everybody what all of these Google-specific
behaviors are that we've been discussing in this thread?

It mentions the RP must store OAuth values, but says nothing of AX attributes.
Also it doesn't talk about the specifics, such as attributes you've never
asked for before (or Google doesn't support) will still be returned when
you later do ask (or Google starts supporting); or how Google
interprets the if_available list in terms of the user's choice.

Also, do you have any insight if/when Google may support additional
attributes?  Some of the most universal and immediately useful and
perhaps the least controversial would be the time zone and language

Deron Meranda

More information about the general mailing list