[OpenID] Attribute Exchange

Johnny Bufu johnny at sxip.com
Mon Aug 6 20:57:00 UTC 2007


On 5-Aug-07, at 11:28 PM, Armand du Plessis wrote:
> I'm busy extending the ruby-openid library to support the Attribute
> Exchange draft for use in one of our sites but have a couple of
> questions around it I'm hoping you guys can clarify:

Glad to hear it! When it's ready and deployed somewhere, please  
announce it so we can do some interoperability tests.

> 1) Am I correct in saying that the ax, fetch_request and
> fetch_response, messages should piggy-back on the OpenID
> authentication, checkid_setup, checkid_immidiate and id_res, messages?
> At first I thought it would be seperate messages but reading the
> section on OpenID extensions it seems it needs to be included in the
> same request-response.

Yes. The overview section states:

"The request parameters detailed here MUST be sent using the  
[OpenID.authentication-2.0] extension mechanism."

> 2) Some of my attribute exchange responses include quite a lot of
> data. If the RP initiated the exchange and included a fetch_request
> attribute is it OK for the server to respond with a POST back when the
> initial request was a GET?
>
> In the OpenID library I see that if the message was one of the
> checkid* it will respond with a http redirect with all the values sent
> back in the querystring which in my case would sometimes exceed the
> max querystring length. Will a consumer understand the response if
> it's sent back as a key/value form? Or what is the preferred mechanism
> for doing that?

Yes. Attribute Exchange is an extension to the OpenID 2.0 protocol,  
which defines how the messages are moved, using both GETs and POSTs  
(see  5.2. Indirect Communication in the OpenID spec).

As a general practical rule it makes sense to respond with the same  
HTTP verb. The POSTs are in OpenID 2.0 however exactly to address  
this use case, so you can safely go ahead and use it. All OpenID 2.0  
RPs should support POSTs / HTML Form Redirect.

> Should I rather included the values in a post back
> without bothering the k/v form? The spec is not too clear on this or
> it's too early in the morning for me to understand it :)

No, you should always use one of the two indirect communication  
methods defined by the OpenID spec: HTTP Redirect or HTML Form Redirect.

> Any guidance or pointers to samples for implementing the AX extensions
> would be really welcome.

We have implemented AX (draft 4) in OpenID4Java:
	http://code.google.com/p/openid4java/

To see how we're handling extensions and AX in particular, you can  
have a look at the following:
- org.openid4java.message.Message class (look for the extension- 
related code)
- org.openid4java.message.MessageExtension interface
- org.openid4java.message.ax package (the actual AX implementation)


As a side note, Draft 7 has been waiting for a little while to get  
tagged and published, so I've just done this now. Until David has a  
chance to link it from the main specs page on openid.net, you can see  
it here:
http://openid.net/svn/specifications/attribute_exchange/1.0/tags/ 
Draft_07/


Hope this helps,
Johnny





More information about the general mailing list