[OpenID] AX query and wildcards

Peter Williams pwilliams at rapattoni.com
Tue Jan 6 19:48:38 UTC 2009 

Your adding an authorization statement into the openid assertion (stuffed  in an AX value), using some or other permission algebra.

That's fine.

As long as one things of AX as a generic signaling extension (rather than as the way to extend sreg for form filling), thats fine. Its just a name/value pair bag, at the end of the day, like a querystring GET for a FORM post. It has the advantage of being signed end-end by the private association tho (which is what openid usefully brings)

You are specifically allowed as a vendor/profiler to define your own attributes: names, values, types, and syntaxes. Have fun!

> -----Original Message-----
> From: Pat Cappelaere [mailto:pat at cappelaere.com]
> Sent: Tuesday, January 06, 2009 10:48 AM
> To: OpenID List
> Cc: Peter Williams
> Subject: AX query and wildcards
>
> Here is the scenario:
>
> Using a role-based access control, I am interested in the permissions
> that a user may have been granted by his organization (which I can get
> from the organization's OP) if the user let's me.
>
> This brings up a few issues:
> I would need an experimental attribute since I cannot find what I need
> there (http://www.axschema.org/types/)
>
> Let's use a new x-type:
>
> http://axschema.org/x/company/permission
>
> If I fetch this, AX will return all of them with no problems.
>
> But User could have many permissions and is unlikely to let me have
> access to all the permissions he may have.
> As an SP, I may only be interested in a relevant subset.  So If you
> are a Red Cross user, I may want to check if you have been granted any
> NASA specific permissions.  Assuming that permissions could be
> specified as uri's such as  nasa:*
>
> So how can I fetch all user permissions that match nasa:*?
>
> Should I use an XQuery in the type attribute?
>
> openid.ax.type.permission = http://axschema.org/x/company/
> permission[starts-with(.,'nasa:')]
>
> or add a query/filter/regex attribute?
>
> openid.ax.type.permission=http://axschema.org/x/company/permission
> openid.ax.type.query = nasa:*
>
> Thanks,
> Pat.
>

More information about the general mailing list