[OpenID] OpenID Exchange

Dick Hardt dick at sxip.com
Mon Jan 15 08:31:16 UTC 2007

On 15-Jan-07, at 12:08 AM, Martin Atkins wrote:

> Dick Hardt wrote:
>> Hi Martin
>> What would you want OpenID Exchange to do that was not in OpenID
>> Attribute Exchange?
> As I understand it, Attribute Exchange is a mechanism for exchanging
> sets of key-value pairs between parties, like "Simple Registration"
> taken to its logical conclusion.


> OpenID Exchange[1] is a protocol for doing arbitrary HTTP requests
> between two sites where the caller acts on behalf of the user and the
> user gives that caller a one-time permission to perform the action.

why one-time?

> So the two aren't really comparable except to say that Attribute
> Exchange could, in theory, use OpenID Exchange as a transport. I see
> that right now it's using OpenID Authentication as a transport, but I
> assume that this means that I cannot separate my "attribute provider"
> from my authentication provider.

Agreed -- but that comes from the view that authentication is just  
another attribute. :-)

> OpenID Exchange can operate both standalone and as an OpenID
> Authentication Extension, although admittedly right now the
> Authentication Extension mode is underspecified and untested because
> I've been focusing on the "Post In My Weblog" protocol which makes no
> sense to bundle over an Authentication request.
> I've intentionally avoided stepping on your toes by speccing anything
> for profile exchange over OpenID Exchange so far.

If you have ideas on how the two could work together, please feel  
free to send me your thoughts.

> -----------------------------------------
> [1] I apologise for the "name collision" with them both having
> "Exchange" in the name; I've had this all lying around on my system  
> here
> with the name "OpenID Exchange" since not long after I proposed its
> predecessor "user-accompanied RPC protocol", so I stuck with the name
> when I published it despite the fact that it now collides. Suggestions
> for alternative names that aren't horrifically verbose are welcomed.

Perhaps another name will come to mind once I fully grock what you  
are trying to do!

Per your example, there is the blogsite and the lamequiz. (btw: the  
quiz properly assessed I liked Perl :-)

Some questions to help me grock:

Would it be fair to say that lamequiz is making an API call to  
blogsite on behalf of the user?

Would some other policy such as being able to make more then one call  
be useful, or be able to make the call later when the user is not  

-- Dick

More information about the general mailing list