[OpenID] Attribute Exchange

Armand du Plessis armand at dotnet.org.za
Mon Aug 6 21:33:33 UTC 2007


(meant to reply to list)

Hi Johnny,

Yeah, thanks that clears up a lot. Somehow I initially missed section
5.2 but I've been looking at the OpenID4java implementation which
certainly helped to lift some of the fog :)

I'm generating a form and using form-redirect now for large messages
(>2047 return url) which seems to fine but I still need to finish
consumer code in order to test it properly.

Thanks again,

Armand

On 8/6/07, Johnny Bufu <johnny at sxip.com> wrote:
>
> On 5-Aug-07, at 11:28 PM, Armand du Plessis wrote:
> > I'm busy extending the ruby-openid library to support the Attribute
> > Exchange draft for use in one of our sites but have a couple of
> > questions around it I'm hoping you guys can clarify:
>
> Glad to hear it! When it's ready and deployed somewhere, please
> announce it so we can do some interoperability tests.
>
> > 1) Am I correct in saying that the ax, fetch_request and
> > fetch_response, messages should piggy-back on the OpenID
> > authentication, checkid_setup, checkid_immidiate and id_res, messages?
> > At first I thought it would be seperate messages but reading the
> > section on OpenID extensions it seems it needs to be included in the
> > same request-response.
>
> Yes. The overview section states:
>
> "The request parameters detailed here MUST be sent using the
> [OpenID.authentication-2.0] extension mechanism."
>
> > 2) Some of my attribute exchange responses include quite a lot of
> > data. If the RP initiated the exchange and included a fetch_request
> > attribute is it OK for the server to respond with a POST back when the
> > initial request was a GET?
> >
> > In the OpenID library I see that if the message was one of the
> > checkid* it will respond with a http redirect with all the values sent
> > back in the querystring which in my case would sometimes exceed the
> > max querystring length. Will a consumer understand the response if
> > it's sent back as a key/value form? Or what is the preferred mechanism
> > for doing that?
>
> Yes. Attribute Exchange is an extension to the OpenID 2.0 protocol,
> which defines how the messages are moved, using both GETs and POSTs
> (see  5.2. Indirect Communication in the OpenID spec).
>
> As a general practical rule it makes sense to respond with the same
> HTTP verb. The POSTs are in OpenID 2.0 however exactly to address
> this use case, so you can safely go ahead and use it. All OpenID 2.0
> RPs should support POSTs / HTML Form Redirect.
>
> > Should I rather included the values in a post back
> > without bothering the k/v form? The spec is not too clear on this or
> > it's too early in the morning for me to understand it :)
>
> No, you should always use one of the two indirect communication
> methods defined by the OpenID spec: HTTP Redirect or HTML Form Redirect.
>
> > Any guidance or pointers to samples for implementing the AX extensions
> > would be really welcome.
>
> We have implemented AX (draft 4) in OpenID4Java:
>         http://code.google.com/p/openid4java/
>
> To see how we're handling extensions and AX in particular, you can
> have a look at the following:
> - org.openid4java.message.Message class (look for the extension-
> related code)
> - org.openid4java.message.MessageExtension interface
> - org.openid4java.message.ax package (the actual AX implementation)
>
>
> As a side note, Draft 7 has been waiting for a little while to get
> tagged and published, so I've just done this now. Until David has a
> chance to link it from the main specs page on openid.net, you can see
> it here:
> http://openid.net/svn/specifications/attribute_exchange/1.0/tags/
> Draft_07/
>
>
> Hope this helps,
> Johnny
>
>
>


-- 
Armand, du Plessis
http://shortersigs.com/5041ZH92ZJPW



More information about the general mailing list