[OpenID] Attribute Exchange without simultaneous authentication

Andrew Arnott andrewarnott at gmail.com
Mon May 26 18:56:01 UTC 2008 

I think a simultaneous authentication is necessary because without it, the
openid.claimed_id and openid.identity parameters will be missing, and thus
no way for the OP to determine what Identifier is being queried for
attributes.

>From the AX spec:
3.1.  Subject Identifier

An identifier for a set of attributes. It MUST be a URI. *The subject
identifier corresponds to the end-user identifier in the authentication
portion of the messages*. In other words, the *subject of the identity
attributes in the attribute exchange part of the message is the same as the
end-user in the authentication part. The subject identifier is not included
in the attribute exchange*.
It seems that the only way for an RP to send an OP an OpenID message with
extensions for this purpose without actually requesting authentication is to
leave off the claimed_id and identity parameters, which kills AX's use of
them.  At least that's how I unerstand the OpenID 2.0 spec.  Perhaps I
misunderstand it.  If I do misunderstand it, how is an extension supposed to
send a request without a simultaneous authentication request?

Thanks.

On Mon, May 26, 2008 at 11:43 AM, Dick Hardt <dick at sxip.com> wrote:

> The Subject Identifier is to let the OP and RP know which user is being
> referred to. An authentication request SHOULD not be needed.
> In other words, you should be able to do what you want to do now ... why do
> you think you can't?
>
> -- Dick
>
> On 25-May-08, at 7:43 AM, Andrew Arnott wrote:
>
> Attribute Exchange seems to rely on being part of an authentication message
> as opposed to being able to work when in OpenID's no-authentication
> extension mode.  I get this from section 3.1<http://openid.net/specs/openid-attribute-exchange-1_0.html#identifier-definition>of the AX spec getting the subject identifier from the authentication part
> of the message.
>
> My suggestion would be that if we can, in a subsequent version of AX, allow
> AX to stand alone without OpenID having to send an authentication request at
> the same time, then given an OpenID URL by itself, people can query against
> it.  Now, most information would probably need to be kept private, but
> perhaps some information, like contact information, can be made available
> provided the requestor respond to a CAPTCHA or something like that.  That
> would be up to the individual OPs and their users of course as to which
> information to be willing to disseminate, but the power of the feature is
> there.
>
> What do you think?
>
> --
> Andrew Arnott _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>


-- 
Andrew Arnott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080526/9f3db80e/attachment-0001.htm>

More information about the general mailing list