[OpenID] OpenID SREG best practice question
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Nov 14 01:17:03 UTC 2008
>I like the idea of tracking when the data changes and doing something
>special then. I'd love to see RPs only ask for SREG data when they need
>it. However, this is increasingly difficult with directed identity as
>the RP doesn't know who the user is until after authentication.
The problem, then, is that RP's can only ask for the user's SREG data
*during* authentication? And by the time it knows to ask for this
data, the user has *already* authenticated, so it's too late?
Ideally, there would be something like checkid_immediate for SREG;
practically, the UX is still broken because it "logs in" the user and
then says "Hold on one second, we need to send you back to your OP
again." - effectively forcing the user to go through a login screen
(assuming they have one with their OP) twice.
On the other hand, if they wouldn't have had a combined login screen
(and this is up to individual OP's, but if we assume that most OP's
will follow the "show user what information they're about to submit"
guidelines previously mentioned on this list, the OP will have the
same problem - it can't show this information to users until *it*
(the OP!) knows who that user is, so it will have a separate login
screen for SREG data anyway), and the RP just bounces the user right
back at their OP, the UX is a littler slower and the underlying
process is about twice as much, but the user thinks they never left
their OP.
-Shade
More information about the general
mailing list