<div>Yea, I came across your OpenID Exchange spec soon after I sent that e-mail. Very cool.</div>
<div> </div>
<div>Assuming I make it far enough, this is exactly what I'll use. Likely I'll use an Exchange request to setup a session over which various requests can be made. </div>
<div> </div>
<div>Oh, I tried using your Blog Post/Personality Test example but it kept failing when attempting to post to the blog from the test... </div>
<div> </div>
<div>Thanks,</div>
<div><br>Chris<br><br> </div>
<div><span class="gmail_quote">On 2/12/07, <b class="gmail_sendername">Martin Atkins</b> <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Chris Richard wrote:<br>> I want to expose a web service that relying parties can use on behalf<br>> of users and I'd like to use OpenID to authenticate users at this service.
<br>><br>> I'd like to add the service (a new service type) to the user's XRDS<br>> (which already contains an OpenID service) and now the relying party can<br>> find both services it needs. But what should the communication look like
<br>> between these four parties (the user agent, relying party, OpenID<br>> service, my web service)? Does the relying party need to authenticate<br>> the user with OpenID first and then forward the user through my service
<br>> where the user is again authenticated and eventually sent back to the<br>> relying party?<br>><br><br>This is the sort of thing that I envisaged OpenID Exchange (whose name<br>will probably change if it's ever published as a spec) would be useful for:
<br> <<a href="http://openid.net/wiki/index.php/OpenID_Exchange_1.0">http://openid.net/wiki/index.php/OpenID_Exchange_1.0</a>><br><br>To answer your question in the context of OpenID Exchange, the relying<br>party can optionally authenticate the user, but ultimately it is most
<br>important that the target service authenticates the user.<br><br>I think in most cases either the RP will already know the identity of<br>the remote user or they won't care at all. If it's desired, both the RP
<br>and the service can authenticate the user as part of the process, but of<br>course that leads to the sub-optimal situation where the user could get<br>prompted to approve a site twice, which is likely to cause confusion.
<br><br>Sadly I've not had much time recently to work on a prototype<br>implementation of this beyond my simple demo.<br><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net">
general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br></blockquote></div><br>