[OpenID] OpenID Exchange

Martin Atkins mart at degeneration.co.uk
Tue Jan 16 08:42:20 UTC 2007

Dick Hardt wrote:
> Hi Martin, below I have described the exchange in my own words, would  
> you clarify any misconceptions?
> 1) User navigates to Client site
> 2) Client site redirects user to Server site with request
> 3) Server asks user if it is ok for Client to call Server
> 4) user gives permission
> 5) Server redirects user to Client with one-time URL
> 6) Client sends message to Server at one-time URL

That's almost it. There are a couple of things you've misunderstood. 
I've attached a diagram of the various exchanges of information in the 
hope of clarifying. In summary:

* The initial request happens directly, without the browser in the loop. 
* The URL is not the token. The first and last phases are made directly 
from the client site to the server site via the latter's endpoint URL.

> a) the Server can interact with the user and have other access  
> policies to the URL such as use for next 24 hours use once but within  
> 5 minutes etc.

Currently there is no specification for how long the client can wait 
before making its final request, though the assumption is that it will 
happen "immediately" (i.e. after a very short period.) My "blogsite" 
demo allows three minutes, IIRC.

I'm not attempting to solve the problem of a user giving permission for 
a site to do something later or to do something repeatedly, though you 
could create a protocol that did the initial "give the site permission 
to do this later" step over OpenID Exchange and then continue via some 
normal webservice mechanism for the actual request(s).

> c) this has nothing to do with OpenID. :) -- the user could  
> authenticate to the server using any method.

Yes. The "dependencies" on OpenID Authentication in the spec are limited to:
  * I mandate support for OpenID Authentication at minimum, though allow 
applications to use other mechanisms in preference to or as a fallback 
from OpenID at their option.

  * The permission phase of the protocol is designed to optionally 
operate as an OpenID Authentication extension.

However, as we seem to have recently decided, there's more to "OpenID" 
than the Authentication protocol. OpenID seems like a good umbrella for 
this to be under, since having a common identifier across sites is a 
large part of getting a good user-experience out of this protocol.

> d) requires the server to present a UX to the user

I'm probably being dense, but I can't think what a "UX" would be in this 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Exchange Exchange.png
Type: image/png
Size: 25025 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070116/a276cf0c/attachment-0002.png>

More information about the general mailing list