Allowing sites to renew information
Dick Hardt
dick at sxip.com
Thu Sep 28 01:52:48 UTC 2006
On 26-Sep-06, at 3:58 PM, Recordon, David wrote:
> I think that is slightly different from what Gerv was referring to.
>
> With Simple Registration, there is nothing stopping a relying party
> from
> requesting the email address with every authentication request. Most
> implementations however don't seem to do this, rather only request
> data
> if they don't have it.
>
> In a sense, I think there are two schools of thought:
> 1) IdP pushes new data to each RP
> 2) Each RP pulls new data in each authentication request
OpenID AX supports both. The RP can decide how it wants to work. If
it supplies an update_url, then it hopefully get changes pushed by
the IdP. This is likely best for sites that you would visit
infrequently. Eg. signing up for a magazine subscription.
Sites that want accurate data for each transaction will likely
request the data on each authentication request. Since the RP does
not know if it has the user's data until it knows the user, it is
likely easier to ask for the data each time assuming it is not a
massive amount of data.
Others think the RP should be able to request the data without the
user is present. Time will tell if that is a viable model.
Agree that the specs should not dictate a particular way.
Gerv: did this address your use case?
-- Dick
More information about the specs
mailing list