[PROPOSAL] bare response / bare request

Dick Hardt dick at sxip.com
Sun Oct 1 14:59:46 UTC 2006


The user goes to their IdP and is presented with a list of sites they  
have logged onto in the past. They click on one of the links and are  
sent to that site with a POST that has the parameters of a response  
to an authentication request, the RP verifies the message and logs in  
the user. Since the RP did not initiate the transaction, the response  
is a bare response, there was no corresponding request.

In the protocol, it is assumed that indirect messages all start with  
the RP making a request, goto the IdP, then the IdP sends a response  
to the RP.

I am suggesting that there are use cases where only a response or  
only a request is desired.

Is that more clear?

-- Dick

On 1-Oct-06, at 3:38 AM, Recordon, David wrote:

> I'm confused, can you explain this again please?
>
> --David
>
>
> -----Original Message-----
> From: specs-bounces at openid.net on behalf of Dick Hardt
> Sent: Sat 9/30/2006 5:09 PM
> To: specs at openid.net
> Subject: [PROPOSAL] bare response / bare request
>
> Motivating Use Case
> ----------------------------
> The IdP would like to allow the user to click a link on the IdP to
> login to an RP. This requires a bare response to be able to be sent.
> A Trusted Party, acting as an RP would like to store a value at the
> IdP, but does not need the IdP to send the user back, a bare request
> is needed.
>
>
> Proposed Implementation
> -----------------------------------
> bare request: if the openid.return_to parameter is missing or blank,
> then the IdP will not send the user back to the RP
>
> bare response: sending a bare response is valid (not sure we need to
> do anything more then say it is OK to do)
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>




More information about the specs mailing list