[OpenID] Can all Relying Party accept OpenID Provider's

Wed Sep 17 20:40:04 UTC 2008

I agree the spec doesn't spell out the scenario of an unsolicited assertion,
but it seems to me that an RP implementing the full spec must handle the
unsolicited assertion scenario at least somewhat because section 11.2 tells
what the RP must do.  And unless the RP does something to break it by adding
dependencies on return_to parameters, for example, it ought to work
implicitly as a result of following the spec as far as I understand it.

On Wed, Sep 17, 2008 at 8:01 AM, Peter Williams <pwilliams at rapattoni.com>wrote:

> It's not obvious that it really does, Andrew.
>
> I tested the validity of this very feature when doing formal due diligence
> on OpenID, the open code, and dominant providers. (I had to see where openid
> technology fits on the security scale, to get passed the evangelism
> pitches.)
>
> It was very ambiguous what the intent of the unsolicited assertion messages
> were, and what a conforming flow would be. I came to the conclusion that its
> intent was very limited, and related to AX update. But, even that conclusion
> was tenuous.
>
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Andrew Arnott
> Sent: Wednesday, September 17, 2008 7:06 AM
> To: hulixin
> Cc: general at openid.net
> Subject: Re: [OpenID] Can all Relying Party accept OpenID Provider's
>
> Why do you say it doesn't?  In fact it does.
>
> Sent from my iPhone
>
> On Sep 16, 2008, at 11:38 PM, hulixin <hulixin at huawei.com> wrote:
>
> > think you very much.
> > I will supports unsolicited assertions too.
> > Do you know why < OpenID Authentication 2.0 - Final >do not include
> > this
> > case.
> > Is it safe?
> >
> > ________________________________
> >
> > 发件人: Andrew Arnott [mailto:andrewarnott at gmail.com]
> > 发送时间: 2008年9月17日 12:28
> > 收件人: hulixin
> > 抄送: general at openid.net
> > 主题: Re: [OpenID] Can all Relying Party accept OpenID Provider's
> >
> >
> > I know DotNetOpenId supports unsolicited assertions on both sides as
> > you
> > describe.
> >
> > Sent from my iPhone
> >
> > On Sep 16, 2008, at 9:05 PM, hulixin <hulixin at huawei.com> wrote:
> >
> >
> >
> >    Thank you for your answer!
> >
> >    Can all Relying Party accept OpenID Provider's Responding without
> > Requesting Authentication?
> >
> >    It means: User login in OpenID Provider directly ,instead of
> > Relying
> > Party  redirect user from Relying Party to OpenID Provider.After
> > user login
> > in OpenID Provider,User want to an  Relying Party,Can  OpenID Provider
> > generate a url for user login into Relying Party,  if user click this
> > url,Relying Party will accept this user login.user need not input
> > OpenID in
> > Relying Party.   Relying Party do not  send a  Requesting
> > Authentication to
> > OpenID
> >
> >     Provider ,OpenID Provider will send a Responding to Relying Party.
> >
> >        It is good for relying party , because OpenID Provider can
> > bring pageview to Relying Party.
> >
> >    User login Facebook ,then User go to application ,Facebook  bring
> > pageview to application.
> >
> >    Did OpenId  Provider can bring pageview to Relying Party.
> >
> >    I think some user will like to login in OpenId Provider every day
> > ,then go to some Relying Party he like to go and have gone before.
> >
> >    _______________________________________________
> >    general mailing list
> >    general at openid.net
> >    http://openid.net/mailman/listinfo/general
> >
> >
> >
> >
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080917/006a6a9d/attachment-0002.htm>