Use of Qworum for indirect communication

David Fuelling sappenin at gmail.com
Tue Dec 16 05:25:24 UTC 2008 

Cool idea, although I wonder what benefit this would bring to OpenID auth?
Seems like HTTP redirects and form submits work pretty well today.  Would
Qworum enable any sort of new features that aren't possible today because
we're not using XML between RP/OP/User-agent?

Thanks!

david

2008/12/15 Doğa Armangil <doga.armangil at gmail.com>

> The OpenID Authentication 2.0 specification states in section 5.2 that
> "There are two methods for indirect communication: HTTP redirects and HTML
> form submission". It is worth noting that a third method might be added to
> this list: Qworum ( http://www.qworum.com/ ).
>
> Qworum is a fairly new technology (a couple of years old) that aims to
> solve precisely the problem of indirect communication between interactive
> web services (such as between Relying Parties and OpenID Providers). Qworum
> mandates that the caller (i.e. RP) and the callee (i.e. OP) communicate
> through XML documents.
>
> Here is one possible authentication scenario involving Qworum:
>
>
> 1. The RP calls the OP by sending the following Qworum message to the user
> agent:
>
> <!-- Return to the RP after calling the OP -->
> <qrm:goto href='/auth_complete' xmlns:qrm='http://www.qworum.com/'>
>
>   <!-- Call the OP -->
>   <qrm:call href='http://openid-provider.net/my_id'>
>
>     <!-- Authentication request message -->
>     <message xmlns:openid='http://openid.net/'>
>       <openid:mode>checkid_setup</openid:mode>
>       <openid:identity>http://openid-provider.net/my_id</openid:identity>
>       ...
>     </message>
>
>   </qrm:call>
>
> </qrm:goto>
>
> This message instructs the user agent to call the OP and to send the result
> back to the RP.
>
> 2. The user agent then calls the OP (i.e. http://openid-provider.net/my_id) by POSTing it the following XML document:
>
> <message xmlns:openid='http://openid.net/'>
>   <openid:mode>checkid_setup</openid:mode>
>   <openid:identity>http://openid-provider.net/my_id</openid:identity>
>   ...
> </message>
>
> 3. The OP interacts with the end user.
>
> 4. The OP sends the following Qworum message to the user agent:
>
> <!-- Authentication response message -->
> <message xmlns:openid='http://openid.net/'>
>   <openid:mode>id_res</openid:mode>
>   <openid:identity>http://openid-provider.net/my_id</openid:identity>
>   ...
> </message>
>
> 5. Finally, the user agent then POSTs the authentication response message
> back to the RP. Note that the RP return address is handled by the user
> agent, not the OP.
>
>
> Adding Qworum as a third communication method would not break existing
> methods, it would just offer one more choice to RPs:
> * The RP can check whether the user agent has Qworum capability by
> inspecting the Accept header of the HTTP request. The RP can then choose to
> use Qworum.
> * The OP would understand that the RP is using Qworum to call it if the
> Content-Type of the HTTP POST request is application/xml.
>
> So my question is this: Has Qworum been considered for indirect
> communication, or could it be considered in the future?  (As the lead
> developer of Qworum, I can affirm that Qworum would do all it can to
> facilitate this process.)
>
> --
> Doğa Armangil
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20081216/065adbbc/attachment-0001.htm>

More information about the specs mailing list