[OpenID] Demo Travel/ retailshop

Andrew Arnott andrewarnott at gmail.com
Sun Apr 26 21:05:51 UTC 2009


Sure...
I've never seen it actually used in the wild, but the OpenID spec allows for
the protocol to be used for non-authentication purposes.  By leaving out the
openid.identity and openid.claimed_id parameters completely from a checkid
request, the RP signifies to the OP that it is not requesting an identity
assertion, but for some responses to attached request extensions.  Some
extensions like PAPE seem to only apply to authentication requests.  But
other extensions like AX or sreg could be answered regarding the user who is
logged into the OP, without the OP actually asserting that user's identity
to the RP.  Effectively, the RP would be asking an OP "I already know who
this user is, but I'd like to learn more about them."  This would be useful
if the user likes to log in with Google, but PayPal is needed to provide
some kind of payment processing or attributes.

It would *not* be useful to obtain credit card information from PayPal,
since no OpenID extension that I know of encrypts the data in transit.  If
both the OP and RP used HTTPS that would help, but it would make me nervous.
 For sensitive data such as this, OAuth may be the better option since the
RP could talk directly to the SP over HTTPS with no user agent go-between.

But again, I've never seen identity-less OpenID in the wild, so I don't know
how many OPs/RPs actually support it.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Sun, Apr 26, 2009 at 10:35 AM, <leon at kuunders.info> wrote:

>  Interesting. Could you elaborate on this?
> cheers, --Leon.
>
> Andrew Arnott wrote:
>
> In retrospect, I guess an OpenID transaction using AX could be used for
> this, omitting the openid.identity and openid.claimed_id parameters to
> signify this isn't an authentication while still leveraging AX, could be
> used in this scenario with PayPal as well.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
> On Sun, Apr 26, 2009 at 7:10 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:
>
>> Remember (I say this to everyone on the list),
>>  Just because PayPal would make an excellent source of this information,
>> that doesn't mean that it should become an OP.  In the interest of the SSO
>> model, since we seem to have enough big OPs out there, why not have PayPal
>> become an OAuth Service Provider.
>>
>>  Imagine... you're already logged into eBay using your preferred OP.
>>  You're now ready to purchase.  Why make you log in again using PayPal?
>>  Instead, just click the Pay With PayPal button.  You see PayPal pop up,
>> asking you to verify the purchase/bid/whatever.  You click Yes.  You see
>> eBay again, and it has received all the info it needs.  If you weren't
>> already signed into PayPal you may need to sign in there before clicking
>> "Yes", but you're strictly logging into PayPal and not re-logging into eBay.
>>
>>  You don't need to be an OP to be able to provide this info.  If
>> authentication isn't strictly necessary, OAuth is usually the right choice.
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - Voltaire
>>
>>
>> On Sun, Apr 26, 2009 at 5:54 AM, Santosh Rajan <santrajan at gmail.com>wrote:
>>
>>> I think Visa. Mastercard etc will get into the act! Incidentally Paypal
>>> is an excellent position to be an OP for shopping sites, because not only
>>> can it provide a verified email address, it can also tell the RP if the user
>>> is a paypal verified user. ie. he has a verified credit card.(Of cource they
>>> will need to communicate this info somehow).
>>>
>>> On Sun, Apr 26, 2009 at 5:28 PM, Peter Williams <pwilliams at rapattoni.com
>>> > wrote:
>>>
>>>>
>>>> so where are poeple planning on storing (partial) credit card data -
>>>>
>>>> 1. at the op (paypal OP model) attribute server
>>>> 2. in the release module of the OP, udner user control
>>>> 3. at the discovery agent (users XRDS, somehow protected)
>>>> 4. one of the RPs
>>>> 5. a super RP trusted by other RPs?
>>>>
>>>>
>>>> its a good test of the UCI/openid model, as now we have a sensitive
>>>> attribute to worry about. Noone can just wave their hands and say : openid
>>>> is for things that dont matter much...
>>>> ________________________________________
>>>> From: general-bounces at openid.net [general-bounces at openid.net] On Behalf
>>>> Of Santosh Rajan [santrajan at gmail.com]
>>>> Sent: Saturday, April 25, 2009 8:03 PM
>>>> To: general at openid.net
>>>> Subject: Re: [OpenID] Demo Travel/ retailshop
>>>>
>>>> I am willing to help.
>>>>
>>>>
>>>> nieuwsgroep wrote:
>>>> >
>>>> > I think Brain Kissel and the others of the retail advisory committee
>>>> > (
>>>> http://www.slideshare.net/bkkissel/openid-foundation-retail-advisory-commit
>>>> > tee-webinar?type=powerpoint) did a great job summarizing the benefits
>>>> of
>>>> > OpenID for retailers. It really helps to discuss OpenID with some of
>>>> the
>>>> > relying party decision makers.
>>>> >
>>>> >
>>>> >
>>>> > In addition to the presentation I think it would help a lot if these
>>>> > benefits can be showed in an online demo. Convincing potential RP's to
>>>> > start
>>>> > a pilot project.
>>>> >
>>>> >
>>>> >
>>>> > Anyone working on a retail demo that shows the benefits by the
>>>> following
>>>> > scenario:
>>>> >
>>>> >
>>>> >
>>>> > 1.       Register online on a demo travelshop with an openid
>>>> collecting as
>>>> > much as profile data to prefill the registration form.
>>>> >
>>>> > 2.       Return to the travelsite and easily login with an OpenID
>>>> >
>>>> > 3.       Book a demo holiday and post this back to my IDP/ Social
>>>> profile
>>>> > (Like facebook or myspace) telling my connections I planned a holiday
>>>> with
>>>> > DemoTravelshop.
>>>> >
>>>> > 4.       Additionally easily redirect (Federated login) to a demo
>>>> > partnersite to rent a car.
>>>> >
>>>> >
>>>> >
>>>> > A good demo like this would  complement the story to potential RP's
>>>> and
>>>> > make
>>>> > it more tangible.
>>>> >
>>>> >
>>>> >
>>>> > Anyone working on such a demo, plans to, or willing to help on this?
>>>> >
>>>> >
>>>> >
>>>> > Kick
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > general mailing list
>>>> > general at openid.net
>>>> > http://openid.net/mailman/listinfo/general
>>>> >
>>>> >
>>>>
>>>>
>>>> -----
>>>>
>>>> Santosh Rajan
>>>> http://santrajan.blogspot.com http://santrajan.blogspot.com
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Demo-Travel--retailshop-tp23236118p23238762.html
>>>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
>  ------------------------------
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090426/28c21ece/attachment.htm>


More information about the general mailing list