[OpenID] OpenID Exchange
mart at degeneration.co.uk
Mon Jan 15 08:47:40 UTC 2007
Dick Hardt wrote:
> Perhaps another name will come to mind once I fully grock what you
> are trying to do!
> Per your example, there is the blogsite and the lamequiz. (btw: the
> quiz properly assessed I liked Perl :-)
> Some questions to help me grock:
> Would it be fair to say that lamequiz is making an API call to
> blogsite on behalf of the user?
Yes, that's right.
The previous iteration of this used "RPC" as its model, but this time
around I simplified it to using HTTP requests as the model in order that
it can reuse parts of existing HTTP-based protocols.
So what's going on in my demo is that, conceptually, blogsite is making
the following HTTP request:
POST /blogsite/oidex-server.php?blogid=4 HTTP/1.1
and getting back:
HTTP/1.1 201 Created
but this has a user-approval step shoved in the middle of it.
(This initial demo uses a simple urlencoding, but my later draft spec on
the wiki uses Atom. The principle is the same.)
> Would some other policy such as being able to make more then one call
> be useful, or be able to make the call later when the user is not
I expect that this would be dealt with by dependent services where it is
useful by having an "API request" as above in which the caller requests
permission to do an action later, possibly many times. The basic
primitive of this protocol is user-accompanied requests, but you can
have a user-accompanied request to set up permission to make a
non-accompanied request if you like. That may be a useful extension to
OpenID Exchange, but I think it's a good idea to spec out this simple
case first and add on a "Delayed/Repeated Request" extension later
when/if it proves useful.
Got to head to work now, so I'll catch up with this later. :)
Had an even worse name to start with!
More information about the general