[OpenID] openid.user_setup_url no longer in V2

[Andrew Arnott]

Really?  I never imagined the flow in 1.x meant anything other than the
user_setup_url was anything besides an ordinary non-immediate request.  In
which case I don't know why the RP would send a setup_url request and a
following immediate request, as the setup_url request results in an auth.
It seems to me that 1.x and 2.0 is the same, except that instead of 1.x
formulated the checkid_setup url for the RP, the RP must create it itself.

On Sun, Sep 7, 2008 at 3:16 AM, Martin Atkins <mart at degeneration.co.uk>wrote:

> Andrew Arnott wrote:
>
>> Does anyone who helped with the V2 spec know why user_setup_url was
>> removed from negative immediate auth response messages?  I like the overall
>> changes, including that id_res is no longer sent in negative cases, which
>> just confused the question of whether an auth was good, but user_setup_url
>> was still helpful to some clients.
>>
>> I wondered if it had to do with the identifier_select case, where OPs
>> might have a privacy leak that might expose the logged in user's
>> claimed/local IDs in the setup_needed message if the request was sent with
>> identifier_select.
>>
>>
> I believe this was just for simplicity's sake. The 1.1 flow was:
>
>  * RP does immediate request.
>  * OP responds with failure and setup URL.
>  * RP sends user to setup URL.
>  * OP does some setup.
>  * RP repeats immediate request.
>  * OP responds with positive assertion.
>
> (or something along those lines.)
>
> The equivalent flow in 2.0 is something like:
>
>  * RP does immediate request.
>  * Server responds with failure.
>  * RP does non-immediate request.
>  * OP does some setup.
>  * OP responds with positive assertion.
>
> The second non-immediate request functions as the setup step and the
> repeated immediate request rolled into one.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080907/ed07b293/attachment-0002.htm>