So, what is an OpenID Extension?
David Recordon
david at sixapart.com
Thu Aug 13 17:05:24 UTC 2009
I think that it is more of a description of the current state, though
if changed it blurs the difference between OpenID and OAuth even
more. It's worth trying out though.
--David
On Aug 13, 2009, at 9:05 AM, Nat Sakimura wrote:
> Is this "indirectness" a philosophy or just a description of the
> current state?
> It is not only me who wants to do artifact binding, and it is much
> simpler than doing both OpenID and OAuth.
>
> =nat
>
> On Fri, Aug 14, 2009 at 12:39 AM, Andrew Arnott <andrewarnott at gmail.com
> > wrote:
> OpenID extensions must be carried by indirect messages (through the
> browser). If you're looking for ways for server-to-server
> communication to get attributes, I suggest you look at OAuth.
> Specifically perhaps the OpenID+OAuth extension, which could enable
> the RP to send the request directly to the OP for these large
> payloads you're talking about.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - S. G. Tallentyre
>
>
> On Thu, Aug 13, 2009 at 8:03 AM, Nat Sakimura <sakimura at gmail.com>
> wrote:
> Hmmm. So, there is no way we can do direct communication in an
> extension?
> What I want to do is to send the large payload directly between the
> servers and move only the reference through OpenID Authn request and
> response so that
>
> 1) mobile clients will not choke.
> 2) is going to be more secure.
>
> In AX, there is a notion of update_url, but is that also used only
> for indirect communication through browser?
>
> I feel that it is extremely limiting if we cannot do the server to
> server communication.
>
> If that is not a possibility, then I should probably do the server
> to server portion elsewhere, and just do the reference/artifact
> moving through OpenID AuthN, but that sounds like OpenID strangling
> itself.
>
> =nat
>
>
> On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge
> <james at jamesh.id.au> wrote:
> On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<sakimura at gmail.com>
> wrote:
> > I blogged bout the subject here:
> > http://www.sakimura.org/en/modules/wordpress/index.php?p=91
> >
> > What would be the consensus here?
>
> My reading of the spec (and what I believe is the author's intent) is
> that OpenID extensions do indeed piggyback on an authentication
> request. The note about including the extension's type URI in XRDS is
> a way that an OpenID provider can advertise support for the extension.
>
> Note that in OpenID 2.0, sending openid.identifier in an
> authentication request is optional. So you could potentially use an
> extension without actually authenticating as a particular user. From
> section 9.1:
>
> """
> "openid.claimed_id" and "openid.identity" SHALL be either both present
> or both absent. If neither value is present, the assertion is not
> about an identifier, and will contain other information in its
> payload, using extensions (Extensions).
> """
>
> James.
>
>
>
> --
> Nat Sakimura (=nat)
>
> http://www.sakimura.org/en/
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090813/1649ef21/attachment.htm>
More information about the specs
mailing list