OpenID Attribute Exchange Protocol questions

James Henstridge james at jamesh.id.au
Fri Jul 6 07:37:33 UTC 2007 

On 06/07/07, Johnny Bufu <johnny at sxip.com> wrote:
> Hi James!
>
> On 4-Jul-07, at 9:05 PM, James Henstridge wrote:
> > 1. I noticed a few typos in the examples.  In section 5.1, it gives an
> > example of a fetch_request request reading:
> >
> >     openid.ns.ax=http://openid.net/srv/ax/1.0
> >     openid.ns.ax=fetch_request
> >     ...
>
> This would be a copy / paste error on my part; thanks for finding it!
> It's fixed now.
>
> > 2. The spec seems to omit details of how messages should be sent to
> > openid.ax.update_url.  In particular:
>
> Draft 5 is a bit old; there was also a draft 6 that never made it to
> the index page on openid.net.
>
> The latest revision in svn [1]  should be tagged as draft-7 any time
> now. Please have a look at it and see if there are still issues with
> the update mechanism (or anything else for that matter).

Okay, the new draft is clearer.

My question about the transaction ID in the update URL still stands:
won't a positive assertion response include openid.identifier and
openid.claimed_id, which should be enough for the RP to match up the
response?  Or do you expect the OP to not record the claimed
identifier from the original authentication request?

I think my question about what association handle to use for the
unsolicited response is adequately covered by the rules in section
11.4 of the OpenID Authentication spec: the OP could choose to use the
association from the original authentication request (if it is still
valid), or create a new private association handle.  In either case,
it should be ready to answer a check_authentication request.

My last question about indicating removed data still stands.  Consider
the following example:

1. The RP requests my phone and fax numbers in an OpenID authentication request:
    openid.ns.ax=http://openid.net/srv/ax/1.0
    openid.ax.mode=fetch_request
    openid.ax.type.phone=http://example.com/phone
    openid.ax.type.fax=http://example.com/fax
    openid.ax.required=phone,fax
    openid.ax.update_url=http://relying-party/...

2. My OP provides the details in the authentication response:
    openid.ns.ax=http://openid.net/srv/ax/1.0
    openid.ax.mode=fetch_response
    openid.ax.type.phone=http://example.com/phone
    openid.ax.type.fax=http://example.com/fax
    openid.ax.value.phone=555-1234
    openid.ax.value.fax=555-5678
    openid.ax.update_url=http://relying-party/...

3. At some later date, my OP sends an unsolicitated authentication
response containing the following data:
    openid.ns.ax=http://openid.net/srv/ax/1.0
    openid.ax.mode=fetch_response
    openid.ax.type.phone=http://example.com/phone
    openid.ax.value.phone=555-2345
    openid.ax.update_url=http://relying-party/...

How should the RP handle this update?  According to the draft spec, I
can think of two possibilities based on how "updated data" is
interpreted?
 1. the user has changed their phone number
 2. the user has changed their phone number and removed their fax number.

The first option treats the phone number as "updated data" and fax
number as unchanged data.  It seems simplest, but it isn't clear how I
would tell the RP that I removed my fax number.

The second option works on the assumption that "updated data" refers
to all the attributes originally requested.  It has the down side that
both the OP and RP now have to remember the list of requested fields
that were requested.


James.

More information about the specs mailing list