<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">Very interesting question.
Unless you are expecting the RP to invoke your web service via an
indirect request through the browser, this is taking OpenID past what
it was originally designed for.<br>
<br>
Regardless, it raises some interesting questions...<br>
1. In a user-centric view, where does the user give consent for the RP
to invoke your web service? The RP is giving out a correlatable handle
for the user to your web service. This seems to be in violation of
"law" 4 (Directed Identity).<br>
2. How does your web service get into my XRDS file (either delivered as
part of a domain I own, or as provided by my OpenID Provider)?<br>
3. If the RP can ask the OP for an "authentication token" to access
your web service, how does your web service validate that
"authentication token" such that you have confidence the user is
currently authenticated?<br>
<br>
I can see a lot of application of the SAML specifications (maybe
referenced via an artifact) to this problem. Your web service could
then resolve the artifact and have an assertion as to the user, who
authenticated the user, additional attributes, etc.<br>
<br>
I do agree that this is a natural follow on to OpenID's authenticated
identifier.<br>
<br>
Thanks,<br>
George<br>
</font><br>
Chris Richard wrote:
<blockquote cite="mid4c7b59910702120157l518214c0n4c97437308eb6195@mail.gmail.com" type="cite">
<div>I want to expose a web service that relying parties can use on
behalf of users and I'd like to use OpenID to authenticate users at
this service.</div>
<div> </div>
<div>I'd like to add the service (a new service type) to the user's
XRDS (which already contains an OpenID service) and now the relying
party can find both services it needs. But what should the
communication look like between these four parties (the user agent,
relying party, OpenID service, my web service)? Does the relying party
need to authenticate the user with OpenID first and then forward the
user through my service where the user is again authenticated and
eventually sent back to the relying party?
</div>
<div> </div>
<div>Thanks in advance for any comments.</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
</body>
</html>