[OpenID] OpenID SREG best practice question
Dick Hardt
dick.hardt at gmail.com
Wed Nov 12 17:40:41 UTC 2008
In UX flows we did in the past, we had options for the user to get
prompted each time, prompted if the data has changed, or to
automatically release all the time.
-- Dick
On 12-Nov-08, at 8:20 AM, George Fletcher wrote:
> Hi,
>
> I've been re-reading the SREG spec and I'm unsure as to the best/
> correct
> behavior in the case that an RP asks for SREG data that the user has
> already provided/consented to in the past. I see at least 3 options..
>
> 1. Should the OP (which knows the user gave consent for the requested
> fields) just not return them (on the principal that the fewer times
> "PII" flows over the wire the more the user's privacy is protected)?
>
> 2. Should the OP silently (meaning no UI message relating to SREG)
> return the requested data if the user has given consent in the past
> (on
> the principle that the user gave consent in the past so this data
> can be
> returned without asking the user again).
>
> 3. Should the OP always ask the user what to do but defaulting the
> data
> that is sent based on the previous consent? This adds a UI page to
> every
> OpenID authentication that requests SREG data.
>
> Has anyone else worked through these issues? Any best practices to
> follow?
>
> Thanks,
> George
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list