Attribute Exchange pre-draft 5

Josh Hoyt josh at janrain.com
Mon Apr 2 21:35:37 UTC 2007


On 4/2/07, Rowan Kerr <rowan at sxip.com> wrote:
> On 2-Apr-07, at 3:14 PM, Josh Hoyt wrote:
> > My intuition is that a server could advertise what attributes it
> > supports rather than including this information in a user-specific
> > response. So, -0.5 on this. If it does go in, I'd say -1 on making it
> > REQUIRED.
>
> I suppose that (one or more) RDF file(s) could be returned as part
> of the AX discovery.. and the RDF's would have the attributes
> that are supported by the OP.
>
> I was just concerned about prompting a user multiple times
> for the same data, but if an RP can discover the supported
> attributes before requesting them, then that should cover it.

Why would the user be prompted more than once? I see it like this:

 RP: I want attributes A, B, and C.
 OP: OK, I support A, and B, and the user wants to send A, so my
response will contain A, but not B or C
 RP: OK, now I have A. I'll have to prompt the user for B and C if I
require them.

Is it prompting for B again that you're worried about?

If so, and it's required for the RP to do its job, then I don't think
that it's avoidable. If the user didn't want to send it, and it's
required, the application will have to stop the user one way or
another, and offering the user *some* way to continue is reasonable.

I think that the "required" request parameter will take care of most
of the problem, because users will know that if they refuse to send a
value for that attribute, the relying party will have to ask them.

Josh



More information about the specs mailing list